GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,258
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,483
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,533 advisories
Filter by severity
OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently
Moderate
CVE-2026-53859
was published
for
openclaw
(npm)
Jun 18, 2026
Crawl4AI: Unauthenticated SSRF on the Docker server streaming crawl path (/crawl/stream)
High
GHSA-wm69-2pc3-rmmf
was published
for
crawl4ai
(pip)
Jun 18, 2026
BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing
Low
CVE-2026-12566
was published
for
bbot
(pip)
Jun 18, 2026
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message
High
GHSA-p6gq-j5cr-w38f
was published
for
nodemailer
(npm)
Jun 18, 2026
PraisonAI: Server-Side Request Forgery (SSRF) in SearxNG / search_web tools via attacker-controlled searxng_url parameter
High
GHSA-4pcv-mg8v-vrgf
was published
for
praisonaiagents
(pip)
Jun 18, 2026
PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding
High
GHSA-rjvw-7vvw-549v
was published
for
praisonai
(pip)
Jun 18, 2026
praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS
High
GHSA-vxgj-xg5c-p4h7
was published
for
praisonaiagents
(pip)
Jun 18, 2026
PraisonAI: SpiderTools redirect-target SSRF protection bypass
Moderate
GHSA-6h9p-93hq-q7h6
was published
for
praisonaiagents
(pip)
Jun 18, 2026
Gotenberg: SSRF via LibreOffice document processing
High
CVE-2026-55229
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
Jun 18, 2026
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
Low
CVE-2026-55671
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all...
High
Unreviewed
CVE-2026-11395
was published
Jun 18, 2026
Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects
High
CVE-2026-54018
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal
High
CVE-2026-54017
was published
for
open-webui
(pip)
Jun 17, 2026
Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)
High
CVE-2026-54008
was published
for
open-webui
(pip)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Moderate
CVE-2026-53931
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Base Migration URL
Moderate
CVE-2026-53930
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
Moderate
CVE-2026-53927
was published
for
nocodb
(npm)
Jun 17, 2026
Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently
Moderate
GHSA-vqx6-6j84-2794
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Crawl4AI: SSRF via proxy settings in the Docker server bypasses the crawl-URL SSRF check
High
CVE-2026-53755
was published
for
crawl4ai
(pip)
Jun 16, 2026
Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution
High
GHSA-f989-c77f-r2cq
was published
for
crawl4ai
(pip)
Jun 16, 2026
Crawl4AI: SSRF filter bypass in Docker server via IPv6 transition forms (NAT64 / 6to4 / unspecified / v4-mapped)
High
CVE-2026-53754
was published
for
crawl4ai
(pip)
Jun 16, 2026
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
Critical
CVE-2026-54157
was published
for
@lobehub/lobehub
(npm)
Jun 16, 2026
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
Critical
CVE-2026-56266
was published
for
crawl4ai
(pip)
Jun 16, 2026
Hugo: security.http.urls allow-list bypass via HTTP redirects
Moderate
CVE-2026-50134
was published
for
github.com/gohugoio/hugo
(Go)
Jun 16, 2026
Deno: WebSocket API sandbox bypass via missing post-DNS check
Moderate
CVE-2026-49860
was published
for
deno
(Rust)
Jun 16, 2026
ProTip!
Advisories are also available from the
GraphQL API