Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
57
GitHub Actions
50
Go
3,767
Maven
5,000+
npm
5,000+
NuGet
937
pip
4,999
Pub
13
RubyGems
1,058
Rust
1,347
Swift
54
Unreviewed advisories
All unreviewed
5,000+

112 advisories

Loading
Admidio has an incomplete fix for CVE-2026-32812 (SSRF) Moderate
CVE-2026-42194 was published for admidio/admidio (Composer) May 5, 2026
decsecre583 Credited to decsecre583
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled Critical
CVE-2026-34084 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
calligraf0 Credited to calligraf0
Bagisto affected by Server-Side Request Forgery Low
CVE-2026-6744 was published for bagisto/bagisto (Composer) Apr 21, 2026
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() High
CVE-2026-43884 was published for wwbn/avideo (Composer) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass Moderate
CVE-2026-43879 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) Moderate
CVE-2026-41887 was published for flarum/core (Composer) Apr 22, 2026
LiamSnow Credited to LiamSnow and imorland imorland imorland
Craftql vulnerable to Server-Side Request Forgery Moderate
CVE-2026-31317 was published for markhuot/craftql (Composer) Apr 17, 2026
Craft CMS has a host header injection leading to SSRF via resource-js endpoint Moderate
CVE-2026-41130 was published for craftcms/cms (Composer) Apr 14, 2026
HuajiHD Credited to HuajiHD
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations Moderate
CVE-2026-41129 was published for craftcms/cms (Composer) Apr 14, 2026
r3dbrothers Credited to r3dbrothers
WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL High
CVE-2026-41060 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF Moderate
CVE-2026-41055 was published for wwbn/avideo (Composer) Apr 14, 2026
ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature Moderate
CVE-2026-40500 was published for processwire/processwire (Composer) Apr 16, 2026
Webkul Krayin CRM has Server-Side Request Forgery (SSRF) High
CVE-2026-38527 was published for krayin/laravel-crm (Composer) Apr 14, 2026
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation Moderate
CVE-2026-33237 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset and Marcono1234 Marcono1234 Marcono1234
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints Moderate
CVE-2026-33766 was published for wwbn/avideo (Composer) Mar 26, 2026
kodareef5 Credited to kodareef5 and Marcono1234 Marcono1234 Marcono1234
WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732) High
CVE-2026-39370 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services Moderate
CVE-2026-39368 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages Moderate
CVE-2026-35540 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation Moderate
CVE-2026-34740 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL Moderate
CVE-2026-33182 was published for saloonphp/saloon (Composer) Mar 25, 2026
HuajiHD Credited to HuajiHD, JonPurvis, and Sammyjo20 JonPurvis JonPurvis
Sammyjo20 Sammyjo20
league/commonmark has an embed extension allowed_domains bypass Moderate
CVE-2026-33347 was published for league/commonmark (Composer) Mar 19, 2026
HuajiHD Credited to HuajiHD
Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents Moderate
CVE-2026-33486 was published for roadiz/documents (Composer) Mar 23, 2026
ROCmertakdag Credited to ROCmertakdag and ambroisemaupate ambroisemaupate ambroisemaupate
Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin Moderate
CVE-2026-32279 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
AVideo has Unauthenticated SSRF via plugin/Live/test.php Critical
CVE-2026-33502 was published for wwbn/avideo (Composer) Mar 20, 2026
Ahmad-jarwan Credited to Ahmad-jarwan
AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php Moderate
GHSA-wxjx-r2j2-96fx was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database