GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
230 advisories
Filter by severity
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Critical
CVE-2026-53513
was published
for
@better-auth/sso
(npm)
Jul 7, 2026
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)
Moderate
CVE-2026-53509
was published
for
@aborruso/ckan-mcp-server
(npm)
Jul 7, 2026
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch
Moderate
GHSA-j5qp-p44g-2m49
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction
Moderate
GHSA-2944-57xv-2682
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)
Moderate
GHSA-xw57-23p8-9wc5
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request
High
CVE-2026-50288
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
OpenClaw's browser act interactions could bypass private-network navigation checks
Moderate
CVE-2026-53812
was published
for
openclaw
(npm)
Jul 2, 2026
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
High
CVE-2026-50143
was published
for
@apify/actors-mcp-server
(npm)
Jul 1, 2026
auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback
High
CVE-2026-49857
was published
for
auth-fetch-mcp
(npm)
Jul 1, 2026
@jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization
Moderate
CVE-2026-49856
was published
for
@jshookmcp/jshook
(npm)
Jul 1, 2026
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url
Low
GHSA-rp72-5v5q-2446
was published
for
@cardano402/mcp-server
(npm)
Jun 26, 2026
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
High
CVE-2026-54353
was published
for
@budibase/backend-core
(npm)
Jun 22, 2026
Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata
High
CVE-2026-48153
was published
for
@budibase/server
(npm)
Jun 22, 2026
Lokka: Azure Resource Manager URL path validation issue
High
GHSA-g2gw-q38m-vjfc
was published
for
@merill/lokka
(npm)
Jun 19, 2026
SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`
High
GHSA-mrvx-jmjw-vggc
was published
for
mcp-searxng
(npm)
Jun 19, 2026
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints
Moderate
CVE-2026-55591
was published
for
signalk-server
(npm)
Jun 18, 2026
OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently
Moderate
CVE-2026-53859
was published
for
openclaw
(npm)
Jun 18, 2026
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message
High
GHSA-p6gq-j5cr-w38f
was published
for
nodemailer
(npm)
Jun 18, 2026
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Moderate
CVE-2026-53931
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Base Migration URL
Moderate
CVE-2026-53930
was published
for
nocodb
(npm)
Jun 17, 2026
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
Moderate
CVE-2026-53927
was published
for
nocodb
(npm)
Jun 17, 2026
Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently
Moderate
GHSA-vqx6-6j84-2794
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
Critical
CVE-2026-54157
was published
for
@lobehub/lobehub
(npm)
Jun 16, 2026
Astro: Host header SSRF in prerendered error page fetch
High
CVE-2026-54299
was published
for
astro
(npm)
Jun 16, 2026
@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config
Moderate
CVE-2026-54300
was published
for
@astrojs/netlify
(npm)
Jun 16, 2026
ProTip!
Advisories are also available from the
GraphQL API