Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

826 advisories

Loading
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write High
GHSA-qrwj-vh9x-gw5v was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile Moderate
CVE-2026-54637 was published for d7y.io/dragonfly/v2 (Go) Jul 6, 2026
tonghuaroot Credited to tonghuaroot and gaius-qi gaius-qi gaius-qi
tonghuaroot Credited to tonghuaroot
Mautic Focus component Vulnerable to SSRF Moderate
CVE-2026-9557 was published for mautic/core (Composer) Jul 2, 2026
r1beirin Credited to r1beirin, patrykgruszka, dungNHVhust, and escopecz patrykgruszka patrykgruszka
dungNHVhust dungNHVhust escopecz escopecz
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch Moderate
GHSA-j5qp-p44g-2m49 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction Moderate
GHSA-2944-57xv-2682 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range) Moderate
GHSA-xw57-23p8-9wc5 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request High
CVE-2026-50288 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
OpenClaw's browser act interactions could bypass private-network navigation checks Moderate
CVE-2026-53812 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token High
CVE-2026-50143 was published for @apify/actors-mcp-server (npm) Jul 1, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header High
CVE-2026-50151 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
1seal Credited to 1seal
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens Low
CVE-2026-48978 was published for oras.land/oras-go (Go) Jul 1, 2026
1seal Credited to 1seal
Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml Moderate
CVE-2026-44936 was published for github.com/rancher/fleet (Go) Jul 1, 2026
SurrealDB: Port-specific --deny-net rules silently bypassed on HTTP redirect Moderate
GHSA-97vg-427p-8hx5 was published for surrealdb (Rust) Jul 1, 2026
auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback High
CVE-2026-49857 was published for auth-fetch-mcp (npm) Jul 1, 2026
EQSTLab Credited to EQSTLab
@jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization Moderate
CVE-2026-49856 was published for @jshookmcp/jshook (npm) Jul 1, 2026
DavidCarliez Credited to DavidCarliez
Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage High
CVE-2026-49478 was published for github.com/sigstore/fulcio (Go) Jun 30, 2026
bugbunny-research Credited to bugbunny-research
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) Moderate
CVE-2026-54242 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option Moderate
CVE-2026-49359 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host Moderate
CVE-2026-47076 was published for hackney (Erlang) Jun 26, 2026
Ganbagana Credited to Ganbagana and maennchen maennchen maennchen
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy Low
CVE-2026-49262 was published for aimeos/pagible (Composer) Jun 26, 2026
PomPomSaturin Credited to PomPomSaturin
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF High
GHSA-vgrc-hq28-p3xp was published for github.com/apernet/hysteria/core/v2 (Go) Jun 26, 2026
0xlally Credited to 0xlally
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http` High
CVE-2026-44161 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
ProTip! Advisories are also available from the GraphQL API