Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

65 advisories

Loading
Mautic Focus component Vulnerable to SSRF Moderate
CVE-2026-9557 was published for mautic/core (Composer) Jul 2, 2026
r1beirin Credited to r1beirin, patrykgruszka, dungNHVhust, and escopecz patrykgruszka patrykgruszka
dungNHVhust dungNHVhust escopecz escopecz
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) Moderate
CVE-2026-54242 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option Moderate
CVE-2026-49359 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module Moderate
CVE-2026-44583 was published for paymenter/paymenter (Composer) Jun 22, 2026
boomerangBS Credited to boomerangBS and CorwinDev CorwinDev CorwinDev
canto-saas-api: Authenticated API requests can be redirected via unencoded path variables Moderate
CVE-2026-55374 was published for jleehr/canto-saas-api (Composer) Jun 19, 2026
jleehr Credited to jleehr
EvidentObscurity Credited to EvidentObscurity
tonghuaroot Credited to tonghuaroot and nicolas-grekas nicolas-grekas nicolas-grekas
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation Moderate
CVE-2026-48998 was published for guzzlehttp/psr7 (Composer) Jun 11, 2026
edorian Credited to edorian
Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation Moderate
CVE-2026-48013 was published for shopware/core (Composer) Jun 4, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Spatie Laravel Media Library contains a server-side request forgery vulnerability Moderate
CVE-2026-48555 was published for spatie/laravel-medialibrary (Composer) May 29, 2026
Snappy : SSRF and local file read via the xsl-style-sheet option Moderate
CVE-2026-46683 was published for knplabs/knp-snappy (Composer) May 21, 2026
Statamic CMS: Server-Side Request Forgery via Glide Moderate
CVE-2026-45660 was published for statamic/cms (Composer) May 18, 2026
haoit Credited to haoit
offset Credited to offset
Admidio has an incomplete fix for CVE-2026-32812 (SSRF) Moderate
CVE-2026-42194 was published for admidio/admidio (Composer) May 5, 2026
decsecre583 Credited to decsecre583
Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) Moderate
CVE-2026-41887 was published for flarum/core (Composer) Apr 22, 2026
LiamSnow Credited to LiamSnow and imorland imorland imorland
Craftql vulnerable to Server-Side Request Forgery Moderate
CVE-2026-31317 was published for markhuot/craftql (Composer) Apr 17, 2026
ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature Moderate
CVE-2026-40500 was published for processwire/processwire (Composer) Apr 16, 2026
Craft CMS has a host header injection leading to SSRF via resource-js endpoint Moderate
CVE-2026-41130 was published for craftcms/cms (Composer) Apr 14, 2026
HuajiHD Credited to HuajiHD
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations Moderate
CVE-2026-41129 was published for craftcms/cms (Composer) Apr 14, 2026
r3dbrothers Credited to r3dbrothers
WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF Moderate
CVE-2026-41055 was published for wwbn/avideo (Composer) Apr 14, 2026
WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services Moderate
CVE-2026-39368 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages Moderate
CVE-2026-35540 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation Moderate
CVE-2026-34740 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints Moderate
CVE-2026-33766 was published for wwbn/avideo (Composer) Mar 26, 2026
kodareef5 Credited to kodareef5 and Marcono1234 Marcono1234 Marcono1234
ProTip! Advisories are also available from the GraphQL API