Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

2,132 advisories

Loading
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets Moderate
GHSA-f7fh-qg34-x2xh was published for openclaw (npm) Apr 17, 2026
nicky-cc Credited to nicky-cc
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage Moderate
GHSA-536q-mj95-h29h was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement Moderate
GHSA-527m-976r-jf79 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy Moderate
GHSA-rj2p-j66c-mgqh was published for openclaw (npm) Apr 17, 2026
nicky-cc Credited to nicky-cc
OpenClaw: Browser SSRF policy default allowed private-network navigation Moderate
GHSA-53vx-pmqw-863c was published for openclaw (npm) Apr 17, 2026
dhyabi2 Credited to dhyabi2
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding Moderate
GHSA-xq94-r468-qwgj was published for openclaw (npm) Apr 17, 2026
dhyabi2 Credited to dhyabi2
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes Moderate
GHSA-2767-2q9v-9326 was published for openclaw (npm) Apr 17, 2026
threalwinky Credited to threalwinky
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation Moderate
GHSA-c4qm-58hj-j6pj was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the... High Unreviewed
CVE-2026-40516 was published Apr 17, 2026
A vulnerability was determined in prasathmani TinyFileManager up to 2.6. Affected by this... Moderate Unreviewed
CVE-2026-6497 was published Apr 17, 2026
Craftql vulnerable to Server-Side Request Forgery Moderate
CVE-2026-31317 was published for markhuot/craftql (Composer) Apr 17, 2026
GREENmod uses named pipes for communication between plugins, the web portal, and the system... Moderate Unreviewed
CVE-2026-5131 was published Apr 17, 2026
HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS Moderate
CVE-2026-5052 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding Low
GHSA-r7w7-9xr2-qq2r was published for langchain-openai (pip) Apr 16, 2026
deprrous Credited to deprrous
LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass Moderate
GHSA-fv5p-p927-qmxr was published for langchain-text-splitters (pip) Apr 16, 2026
Aeg1sx Credited to Aeg1sx
Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server High
GHSA-45q2-gjvg-7973 was published for @angular/platform-server (npm) Apr 16, 2026
YLChen-007 Credited to YLChen-007, alan-agius4, AndrewKushnir, and josephperrott alan-agius4 alan-agius4
AndrewKushnir AndrewKushnir josephperrott josephperrott
Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains High
GHSA-6r77-hqx7-7vw8 was published for flowise (npm) Apr 16, 2026
wsparks-vc Credited to wsparks-vc
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) High
GHSA-2x8m-83vc-6wv4 was published for flowise (npm) Apr 16, 2026
ESPanda666 Credited to ESPanda666 and JLLeitschuh JLLeitschuh JLLeitschuh
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox High
GHSA-xhmj-rg95-44hv was published for flowise (npm) Apr 16, 2026
Sn1r Credited to Sn1r
Istio: SSRF via RequestAuthentication jwksUri Moderate
GHSA-fgw5-hp8f-xfhc was published for istio.io/istio (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity, 1seal, and AKiileX 1seal 1seal
AKiileX AKiileX
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL High
GHSA-f9g8-6ppc-pqq4 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity
Flowise Execute Flow function has an SSRF vulnerability Moderate
GHSA-9hrv-gvrv-6gf2 was published for flowise (npm) Apr 16, 2026
cn-panda Credited to cn-panda
Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure) Moderate
GHSA-qqvm-66q4-vf5c was published for flowise (npm) Apr 16, 2026
ESPanda666 Credited to ESPanda666
Weblate: SSRF via the webhook add-on using unprotected fetch_url() Moderate
CVE-2026-39845 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel
Weblate: SSRF via Project-Level Machinery Configuration Moderate
CVE-2026-34244 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez, nijel, and amCap1712 nijel nijel
amCap1712 amCap1712
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database