GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
65 advisories
Filter by severity
Mautic Focus component Vulnerable to SSRF
Moderate
CVE-2026-9557
was published
for
mautic/core
(Composer)
Jul 2, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
Moderate
CVE-2026-54242
was published
for
statamic/cms
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
Moderate
CVE-2026-49359
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module
Moderate
CVE-2026-44583
was published
for
paymenter/paymenter
(Composer)
Jun 22, 2026
canto-saas-api: Authenticated API requests can be redirected via unencoded path variables
Moderate
CVE-2026-55374
was published
for
jleehr/canto-saas-api
(Composer)
Jun 19, 2026
phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access
Moderate
GHSA-m557-wrgg-6rp4
was published
for
phpseclib/phpseclib
(Composer)
Jun 16, 2026
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Moderate
CVE-2026-48736
was published
for
symfony/http-client
(Composer)
Jun 15, 2026
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation
Moderate
CVE-2026-48998
was published
for
guzzlehttp/psr7
(Composer)
Jun 11, 2026
Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation
Moderate
CVE-2026-48013
was published
for
shopware/core
(Composer)
Jun 4, 2026
Spatie Laravel Media Library contains a server-side request forgery vulnerability
Moderate
CVE-2026-48555
was published
for
spatie/laravel-medialibrary
(Composer)
May 29, 2026
Snappy : SSRF and local file read via the xsl-style-sheet option
Moderate
CVE-2026-46683
was published
for
knplabs/knp-snappy
(Composer)
May 21, 2026
Statamic CMS: Server-Side Request Forgery via Glide
Moderate
CVE-2026-45660
was published
for
statamic/cms
(Composer)
May 18, 2026
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
Moderate
CVE-2026-45619
was published
for
WWBN/AVideo
(Composer)
May 15, 2026
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
Moderate
CVE-2026-43879
was published
for
wwbn/avideo
(Composer)
May 5, 2026
Admidio has an incomplete fix for CVE-2026-32812 (SSRF)
Moderate
CVE-2026-42194
was published
for
admidio/admidio
(Composer)
May 5, 2026
Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)
Moderate
CVE-2026-41887
was published
for
flarum/core
(Composer)
Apr 22, 2026
Craftql vulnerable to Server-Side Request Forgery
Moderate
CVE-2026-31317
was published
for
markhuot/craftql
(Composer)
Apr 17, 2026
ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature
Moderate
CVE-2026-40500
was published
for
processwire/processwire
(Composer)
Apr 16, 2026
Craft CMS has a host header injection leading to SSRF via resource-js endpoint
Moderate
CVE-2026-41130
was published
for
craftcms/cms
(Composer)
Apr 14, 2026
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
Moderate
CVE-2026-41129
was published
for
craftcms/cms
(Composer)
Apr 14, 2026
WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
Moderate
CVE-2026-41055
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services
Moderate
CVE-2026-39368
was published
for
WWBN/AVideo
(Composer)
Apr 8, 2026
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages
Moderate
CVE-2026-35540
was published
for
roundcube/roundcubemail
(Composer)
Apr 3, 2026
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation
Moderate
CVE-2026-34740
was published
for
wwbn/avideo
(Composer)
Apr 1, 2026
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints
Moderate
CVE-2026-33766
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
ProTip!
Advisories are also available from the
GraphQL API