Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,242 advisories

Loading
Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to... High Unreviewed
CVE-2026-41105 was published May 8, 2026
utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol Moderate
CVE-2026-44661 was published for utcp-http (pip) May 7, 2026
Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo High
GHSA-8mc6-xjpr-h98x was published for github.com/lin-snow/ech0 (Go) May 7, 2026
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) Low
CVE-2026-44589 was published for nuxt-og-image (npm) May 7, 2026
b-hermes Credited to b-hermes
A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is... Low Unreviewed
CVE-2026-8081 was published May 7, 2026
docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler Moderate
CVE-2026-44520 was published for docling-graph (pip) May 7, 2026
ayoub-ibm Credited to ayoub-ibm and dolfim-ibm dolfim-ibm dolfim-ibm
Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme Moderate
CVE-2026-42597 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook Critical
CVE-2026-42596 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
R1ZZG0D Credited to R1ZZG0D
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes Moderate
CVE-2026-42592 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Gotenberg has a Server-Side Request Forgery (SSRF) Issue High
CVE-2026-42591 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
kakarotsec Credited to kakarotsec
Playwright Capture permits access to local files and internal network resources during page capture Moderate
CVE-2026-44439 was published for PlaywrightCapture (pip) May 6, 2026
Rafiot Credited to Rafiot and jeroengui jeroengui jeroengui
misp-modules has nsafe remote resource fetching in expansion Moderate
CVE-2026-44363 was published for misp-modules (pip) May 6, 2026
DavidCruciani Credited to DavidCruciani
PraisonAI has an SSRF bypass High
CVE-2026-44335 was published for praisonaiagents (pip) May 6, 2026
Fushuling Credited to Fushuling and RacerZ-fighting RacerZ-fighting RacerZ-fighting
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct... Moderate Unreviewed
CVE-2026-44117 was published May 6, 2026
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin... Moderate Unreviewed
CVE-2026-44116 was published May 6, 2026
A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated,... High Unreviewed
CVE-2026-20035 was published May 6, 2026
QuantumNous/new-api has an SSRF Filter Bypass via 0.0.0.0 High
CVE-2026-42339 was published for github.com/QuantumNous/new-api (Go) May 6, 2026
MeeseeksX Credited to MeeseeksX
Tauri has an Origin Confusion Issue that Allows Remote Pages to Invoke Local-Only IPC Commands Moderate
CVE-2026-42184 was published for tauri (Rust) May 6, 2026
grumpinout1 Credited to grumpinout1, chippers, FabianLars, and tweidinger chippers chippers
FabianLars FabianLars tweidinger tweidinger
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() High
CVE-2026-43884 was published for wwbn/avideo (Composer) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass Moderate
CVE-2026-43879 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint Critical
CVE-2026-42281 was published for magicmirror (npm) May 5, 2026
Astaruf Credited to Astaruf
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname` High
CVE-2026-42260 was published for open-websearch (npm) May 5, 2026
shmulc8 Credited to shmulc8
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs High
CVE-2026-43929 was published for ssrfcheck (npm) May 5, 2026
hits313 Credited to hits313
ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid High
CVE-2025-8267 was published for ssrfcheck (npm) May 5, 2026
lirantal Credited to lirantal
link-preview-js vulnerable to IPv6 and internal loopback attacks High
CVE-2026-43897 was published for link-preview-js (npm) May 5, 2026
Andrew-most-likely Credited to Andrew-most-likely and ospfranco ospfranco ospfranco
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database