GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
82 advisories
Filter by severity
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Critical
CVE-2026-53513
was published
for
@better-auth/sso
(npm)
Jul 7, 2026
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise
Critical
CVE-2026-55166
was published
for
lemur
(pip)
Jun 25, 2026
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
Critical
CVE-2026-54157
was published
for
@lobehub/lobehub
(npm)
Jun 16, 2026
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
Critical
CVE-2026-56266
was published
for
crawl4ai
(pip)
Jun 16, 2026
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
Critical
CVE-2026-42596
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
May 7, 2026
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
Critical
CVE-2026-42281
was published
for
magicmirror
(npm)
May 5, 2026
FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft
Critical
CVE-2026-42864
was published
for
firefighter-incident
(pip)
May 5, 2026
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled
Critical
CVE-2026-34084
was published
for
phpoffice/phpspreadsheet
(Composer)
Apr 29, 2026
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
Critical
CVE-2026-35459
was published
for
pyload-ng
(pip)
Apr 4, 2026
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Critical
CVE-2026-31818
was published
for
@budibase/backend-core
(npm)
Apr 3, 2026
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
Critical
CVE-2026-32871
was published
for
fastmcp
(pip)
Mar 31, 2026
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
Critical
CVE-2026-33992
was published
for
pyload-ng
(pip)
Mar 27, 2026
AVideo has Unauthenticated SSRF via plugin/Live/test.php
Critical
CVE-2026-33502
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
Critical
CVE-2026-33351
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Critical
CVE-2026-25534
was published
for
io.spinnaker.clouddriver:clouddriver-artifacts
(Maven)
Mar 16, 2026
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Critical
CVE-2026-32301
was published
for
github.com/centrifugal/centrifugo
(Go)
Mar 13, 2026
soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import
Critical
CVE-2026-30832
was published
for
github.com/charmbracelet/soft-serve
(Go)
Mar 6, 2026
Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint
Critical
CVE-2026-28508
was published
for
idno/known
(Composer)
Mar 2, 2026
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
Critical
CVE-2026-27739
was published
for
@angular/ssr
(npm)
Feb 25, 2026
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
Critical
CVE-2026-22039
was published
for
github.com/kyverno/kyverno
(Go)
Jan 27, 2026
Grav may be vulnerable to SSRF attack via Twig Templates
Critical
CVE-2025-66844
was published
for
getgrav/grav
(Composer)
Dec 15, 2025
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
Critical
CVE-2025-67494
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
Soft Serve is vulnerable to SSRF through its Webhooks
Critical
CVE-2025-64522
was published
for
github.com/charmbracelet/soft-serve
(Go)
Nov 10, 2025
cors-anywhere vulnerable to server-side request forgery
Critical
CVE-2020-36851
was published
for
cors-anywhere
(npm)
Sep 25, 2025
BentoML SSRF Vulnerability in File Upload Processing
Critical
CVE-2025-54381
was published
for
bentoml
(pip)
Jul 29, 2025
ProTip!
Advisories are also available from the
GraphQL API