GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,258
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,483
Swift
61
Unreviewed advisories
All unreviewed
5,000+
826 advisories
Filter by severity
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write
High
GHSA-qrwj-vh9x-gw5v
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile
Moderate
CVE-2026-54637
was published
for
d7y.io/dragonfly/v2
(Go)
Jul 6, 2026
flyto-core has SSRF guard bypass via IPv6 transition addresses (IPv4-mapped / 6to4 / NAT64) in validate_url_ssrf
High
CVE-2026-55787
was published
for
flyto-core
(pip)
Jul 6, 2026
Mautic Focus component Vulnerable to SSRF
Moderate
CVE-2026-9557
was published
for
mautic/core
(Composer)
Jul 2, 2026
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch
Moderate
GHSA-j5qp-p44g-2m49
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction
Moderate
GHSA-2944-57xv-2682
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)
Moderate
GHSA-xw57-23p8-9wc5
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request
High
CVE-2026-50288
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
OpenClaw's browser act interactions could bypass private-network navigation checks
Moderate
CVE-2026-53812
was published
for
openclaw
(npm)
Jul 2, 2026
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
High
CVE-2026-50143
was published
for
@apify/actors-mcp-server
(npm)
Jul 1, 2026
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
High
CVE-2026-50151
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
Low
CVE-2026-48978
was published
for
oras.land/oras-go
(Go)
Jul 1, 2026
Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml
Moderate
CVE-2026-44936
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
SurrealDB: Port-specific --deny-net rules silently bypassed on HTTP redirect
Moderate
GHSA-97vg-427p-8hx5
was published
for
surrealdb
(Rust)
Jul 1, 2026
auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback
High
CVE-2026-49857
was published
for
auth-fetch-mcp
(npm)
Jul 1, 2026
@jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization
Moderate
CVE-2026-49856
was published
for
@jshookmcp/jshook
(npm)
Jul 1, 2026
Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage
High
CVE-2026-49478
was published
for
github.com/sigstore/fulcio
(Go)
Jun 30, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
Moderate
CVE-2026-54242
was published
for
statamic/cms
(Composer)
Jun 26, 2026
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
Moderate
CVE-2026-49359
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host
Moderate
CVE-2026-47076
was published
for
hackney
(Erlang)
Jun 26, 2026
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy
Low
CVE-2026-49262
was published
for
aimeos/pagible
(Composer)
Jun 26, 2026
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url
Low
GHSA-rp72-5v5q-2446
was published
for
@cardano402/mcp-server
(npm)
Jun 26, 2026
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF
High
GHSA-vgrc-hq28-p3xp
was published
for
github.com/apernet/hysteria/core/v2
(Go)
Jun 26, 2026
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
Moderate
CVE-2026-48782
was published
for
pydantic-ai
(pip)
Jun 26, 2026
Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`
High
CVE-2026-44161
was published
for
fluentd
(RubyGems)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API