Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,533 advisories

Loading
OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently Moderate
CVE-2026-53859 was published for openclaw (npm) Jun 18, 2026
nayakchinmohan Credited to nayakchinmohan
Crawl4AI: Unauthenticated SSRF on the Docker server streaming crawl path (/crawl/stream) High
GHSA-wm69-2pc3-rmmf was published for crawl4ai (pip) Jun 18, 2026
seankohjs Credited to seankohjs
sondt99 Credited to sondt99
Nx7n Credited to Nx7n
PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding High
GHSA-rjvw-7vvw-549v was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS High
GHSA-vxgj-xg5c-p4h7 was published for praisonaiagents (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
PraisonAI: SpiderTools redirect-target SSRF protection bypass Moderate
GHSA-6h9p-93hq-q7h6 was published for praisonaiagents (pip) Jun 18, 2026
rexpository Credited to rexpository
Gotenberg: SSRF via LibreOffice document processing High
CVE-2026-55229 was published for github.com/gotenberg/gotenberg/v8 (Go) Jun 18, 2026
basikCc Credited to basikCc
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components Low
CVE-2026-55671 was published for github.com/zitadel/zitadel (Go) Jun 18, 2026
wooseokdotkim Credited to wooseokdotkim, IAM-marco, livio-a, 0xBassia, alanturing881, dungNHVhust, sondt99, DavidCarliez, tikket1, Wernerina, morimori-dev, and vamsik2k5 IAM-marco IAM-marco
livio-a livio-a 0xBassia 0xBassia alanturing881 alanturing881 dungNHVhust dungNHVhust sondt99 sondt99 DavidCarliez DavidCarliez tikket1 tikket1 Wernerina Wernerina morimori-dev morimori-dev vamsik2k5 vamsik2k5
Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects High
CVE-2026-54018 was published for open-webui (pip) Jun 17, 2026
POV9en Credited to POV9en and Classic298 Classic298 Classic298
Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal High
CVE-2026-54017 was published for open-webui (pip) Jun 17, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa, sermikr0, and Classic298 sermikr0 sermikr0
Classic298 Classic298
matte1782 Credited to matte1782 and Classic298 Classic298 Classic298
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint Moderate
CVE-2026-53931 was published for nocodb (npm) Jun 17, 2026
p- Credited to p-
NocoDB: Server-Side Request Forgery via Base Migration URL Moderate
CVE-2026-53930 was published for nocodb (npm) Jun 17, 2026
TREXNEGRO Credited to TREXNEGRO
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL Moderate
CVE-2026-53927 was published for nocodb (npm) Jun 17, 2026
TREXNEGRO Credited to TREXNEGRO
Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently Moderate
GHSA-vqx6-6j84-2794 was published for openclaw (npm) Jun 16, 2026 withdrawn
Crawl4AI: SSRF via proxy settings in the Docker server bypasses the crawl-URL SSRF check High
CVE-2026-53755 was published for crawl4ai (pip) Jun 16, 2026
geo-chen Credited to geo-chen
Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution High
GHSA-f989-c77f-r2cq was published for crawl4ai (pip) Jun 16, 2026
geo-chen Credited to geo-chen
LobeHub: Unauthenticated SSRF in `/webapi/proxy` Critical
CVE-2026-54157 was published for @lobehub/lobehub (npm) Jun 16, 2026
0xj3st3r Credited to 0xj3st3r
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution Critical
CVE-2026-56266 was published for crawl4ai (pip) Jun 16, 2026
August829 Credited to August829
Hugo: security.http.urls allow-list bypass via HTTP redirects Moderate
CVE-2026-50134 was published for github.com/gohugoio/hugo (Go) Jun 16, 2026
unknownhad Credited to unknownhad
Deno: WebSocket API sandbox bypass via missing post-DNS check Moderate
CVE-2026-49860 was published for deno (Rust) Jun 16, 2026
alcls01111 Credited to alcls01111
ProTip! Advisories are also available from the GraphQL API