Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

230 advisories

Loading
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints Critical
CVE-2026-53513 was published for @better-auth/sso (npm) Jul 7, 2026
vaadata-poyetont Credited to vaadata-poyetont
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060) Moderate
CVE-2026-53509 was published for @aborruso/ckan-mcp-server (npm) Jul 7, 2026
hibrian827 Credited to hibrian827
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch Moderate
GHSA-j5qp-p44g-2m49 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction Moderate
GHSA-2944-57xv-2682 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range) Moderate
GHSA-xw57-23p8-9wc5 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request High
CVE-2026-50288 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
OpenClaw's browser act interactions could bypass private-network navigation checks Moderate
CVE-2026-53812 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token High
CVE-2026-50143 was published for @apify/actors-mcp-server (npm) Jul 1, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback High
CVE-2026-49857 was published for auth-fetch-mcp (npm) Jul 1, 2026
EQSTLab Credited to EQSTLab
@jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization Moderate
CVE-2026-49856 was published for @jshookmcp/jshook (npm) Jul 1, 2026
DavidCarliez Credited to DavidCarliez
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation High
CVE-2026-54353 was published for @budibase/backend-core (npm) Jun 22, 2026
Artex09 Credited to Artex09
Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata High
CVE-2026-48153 was published for @budibase/server (npm) Jun 22, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Lokka: Azure Resource Manager URL path validation issue High
GHSA-g2gw-q38m-vjfc was published for @merill/lokka (npm) Jun 19, 2026
hackchang Credited to hackchang
SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read` High
GHSA-mrvx-jmjw-vggc was published for mcp-searxng (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab and useworld useworld useworld
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints Moderate
CVE-2026-55591 was published for signalk-server (npm) Jun 18, 2026
anushkavirgaonkar Credited to anushkavirgaonkar
OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently Moderate
CVE-2026-53859 was published for openclaw (npm) Jun 18, 2026
nayakchinmohan Credited to nayakchinmohan
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint Moderate
CVE-2026-53931 was published for nocodb (npm) Jun 17, 2026
p- Credited to p-
NocoDB: Server-Side Request Forgery via Base Migration URL Moderate
CVE-2026-53930 was published for nocodb (npm) Jun 17, 2026
TREXNEGRO Credited to TREXNEGRO
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL Moderate
CVE-2026-53927 was published for nocodb (npm) Jun 17, 2026
TREXNEGRO Credited to TREXNEGRO
Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently Moderate
GHSA-vqx6-6j84-2794 was published for openclaw (npm) Jun 16, 2026 withdrawn
LobeHub: Unauthenticated SSRF in `/webapi/proxy` Critical
CVE-2026-54157 was published for @lobehub/lobehub (npm) Jun 16, 2026
0xj3st3r Credited to 0xj3st3r
Astro: Host header SSRF in prerendered error page fetch High
CVE-2026-54299 was published for astro (npm) Jun 16, 2026
5ud0er Credited to 5ud0er
@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config Moderate
CVE-2026-54300 was published for @astrojs/netlify (npm) Jun 16, 2026
DavidCarliez Credited to DavidCarliez
ProTip! Advisories are also available from the GraphQL API