Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,844
Maven
5,000+
npm
4,470
NuGet
779
pip
4,231
Pub
12
RubyGems
974
Rust
1,093
Swift
48
Unreviewed advisories
All unreviewed
5,000+

170 advisories

Loading
Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API Moderate
CVE-2026-23845 was published for github.com/axllent/mailpit (Go) Jan 21, 2026
mdisec omarkurt
Credited to mdisec and omarkurt
Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2025-15104 was published for nu.validator:validator (Maven) Jan 16, 2026
augustocesarperin
Credited to augustocesarperin
Umbraco CMS contains a server-side request forgery vulnerability Moderate
CVE-2021-47776 was published for UmbracoCms (NuGet) Jan 15, 2026
Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass Moderate
CVE-2026-22772 was published for github.com/sigstore/fulcio (Go) Jan 13, 2026
morwn
Credited to morwn
Ghost has SSRF via External Media Inliner Moderate
CVE-2026-22597 was published for ghost (npm) Jan 8, 2026
odgrso
Credited to odgrso
Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources Moderate
CVE-2026-21885 was published for miniflux.app/v2 (Go) Jan 7, 2026
eclipse07077-ljw
Credited to eclipse07077-ljw
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2026-21859 was published for github.com/axllent/mailpit (Go) Jan 6, 2026
omarkurt
Credited to omarkurt
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API Moderate
CVE-2025-67427 was published for @evershop/evershop (npm) Jan 5, 2026
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation Moderate
CVE-2025-68437 was published for craftcms/cms (Composer) Jan 5, 2026
mHe4am
Credited to mHe4am
hemmelig allows SSRF Filter bypass via Secret Request functionality Moderate
CVE-2025-69206 was published for hemmelig (npm) Dec 29, 2025
Alakinnn
Credited to Alakinnn
Local Deep Research is Vulnerable to Server-Side Request Forgery (SSRF) in Download Service Moderate
CVE-2025-67743 was published for local-deep-research (pip) Dec 23, 2025
yueyueL
Credited to yueyueL
Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification Moderate
CVE-2025-34469 was published for cowrie (pip) Dec 20, 2025
filippolauria mcastellaneta
claudiopo82
Credited to filippolauria, mcastellaneta, and claudiopo82
kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass Moderate
CVE-2025-13281 was published for k8s.io/kubernetes (Go) Dec 15, 2025
PowerJob has a server-side request forgery vulnerability in PingPongUtils.java Moderate
CVE-2025-14518 was published for tech.powerjob:powerjob-common (Maven) Dec 11, 2025
Fetch MCP Server has a Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2025-65513 was published for mcp-fetch-server (npm) Dec 10, 2025
JDA (Java Discord API) downloads external URLs when updating message components Moderate
GHSA-93fv-4pm9-xp28 was published for net.dv8tion:JDA (Maven) Dec 9, 2025
Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host Moderate
CVE-2025-66405 was published for @portkey-ai/gateway (npm) Dec 2, 2025
im-soohyun
Credited to im-soohyun
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass Moderate
CVE-2025-64525 was published for astro (npm) Nov 13, 2025
cold-try delucis
Credited to cold-try and delucis
Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery Moderate
CVE-2025-12058 was published for keras (pip) Oct 29, 2025
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2025-59155 was published for hackmd-mcp (npm) Sep 15, 2025
yuna0x0
Credited to yuna0x0
Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark Moderate
CVE-2025-9862 was published for ghost (npm) Sep 15, 2025
Liferay Portal is vulnerable to SSRF through custom object attachment fields Moderate
CVE-2025-43763 was published for com.liferay:com.liferay.object.service (Maven) Sep 9, 2025
Next.js Improper Middleware Redirect Handling Leads to SSRF Moderate
CVE-2025-57822 was published for next (npm) Aug 29, 2025
medikoo prdngr
Credited to medikoo and prdngr
request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1 Moderate
CVE-2025-57814 was published for request-filtering-agent (npm) Aug 25, 2025
ikkisoft
Credited to ikkisoft
Apache EventMesh Vulnerable to Server-Side Request Forgery in WebhookUtil.java Moderate
CVE-2024-39954 was published for org.apache.eventmesh:eventmesh-runtime (Maven) Aug 20, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database