Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,051
Maven
5,000+
npm
4,791
NuGet
825
pip
4,389
Pub
12
RubyGems
988
Rust
1,145
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,865 advisories

Loading
Statamic Vulnerable to Server-Side Request Forgery via Glide Moderate
CVE-2026-28423 was published for statamic/cms (Composer) Mar 1, 2026
dxlerYT Credited to dxlerYT
Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing High
CVE-2026-28416 was published for gradio (pip) Mar 1, 2026
logicx24 Credited to logicx24
Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7... Moderate Unreviewed
CVE-2026-27759 was published Feb 28, 2026
ZITADEL has potential SSRF via Actions Low
CVE-2026-27945 was published for github.com/zitadel/zitadel/v2 (Go) Feb 27, 2026
IAM-marco Credited to IAM-marco and livio-a livio-a livio-a
A vulnerability was identified in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3. The impacted... Moderate Unreviewed
CVE-2026-3286 was published Feb 27, 2026
A vulnerability has been found in psi-probe PSI Probe up to 5.3.0. This affects the function... Moderate Unreviewed
CVE-2026-3270 was published Feb 27, 2026
A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability... Moderate Unreviewed
CVE-2026-28295 was published Feb 26, 2026
TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist High
CVE-2026-27818 was published for terriajs-server (npm) Feb 26, 2026
Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API Moderate
CVE-2026-27808 was published for github.com/axllent/mailpit (Go) Feb 26, 2026
rtvkiz Credited to rtvkiz
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader Moderate
CVE-2026-27795 was published for @langchain/community (npm) Feb 25, 2026
r3dbrothers Credited to r3dbrothers and hntrl hntrl hntrl
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route High
CVE-2026-27730 was published for github.com/esm-dev/esm.sh (Go) Feb 25, 2026
poppo25 Credited to poppo25
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline Critical
CVE-2026-27739 was published for @angular/ssr (npm) Feb 25, 2026
Yenya030 Credited to Yenya030, alan-agius4, securityMB, AndrewKushnir, josephperrott, and dgp1130 alan-agius4 alan-agius4
securityMB securityMB AndrewKushnir AndrewKushnir josephperrott josephperrott dgp1130 dgp1130
changedetection.io is Vulnerable to SSRF via Watch URLs High
CVE-2026-27696 was published for changedetection.io (pip) Feb 25, 2026
route2shell Credited to route2shell
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php High
CVE-2026-27732 was published for wwbn/avideo (Composer) Feb 25, 2026
arkmarta Credited to arkmarta
A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This... Low Unreviewed
CVE-2026-3189 was published Feb 25, 2026
OpenKruise PodProbeMarker is Vulnerable to SSRF via Unrestricted Host Field Low
CVE-2026-24005 was published for github.com/openkruise/kruise (Go) Feb 25, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize Moderate
CVE-2026-27829 was published for @astrojs/node (npm) Feb 25, 2026
pHo9UBenaA Credited to pHo9UBenaA
esm.sh is vulnerable to full-response SSRF High
CVE-2025-50180 was published for github.com/esm-dev/esm.sh (Go) Feb 25, 2026
bestlzk Credited to bestlzk
The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request... Moderate Unreviewed
CVE-2026-2479 was published Feb 25, 2026
A vulnerability has been found in SourceCodester Website Link Extractor 1.0. This vulnerability... Moderate Unreviewed
CVE-2026-3163 was published Feb 25, 2026
Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads Moderate
CVE-2026-27567 was published for payload (npm) Feb 24, 2026
r3dbrothers Credited to r3dbrothers
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution Moderate
CVE-2026-27129 was published for craftcms/cms (Composer) Feb 24, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function... Moderate Unreviewed
CVE-2026-3052 was published Feb 24, 2026
Astro has Full-Read SSRF in error rendering via Host: header injection Moderate
CVE-2026-25545 was published for @astrojs/node (npm) Feb 23, 2026
Aikido-Security Credited to Aikido-Security, reindaelman, JorianWoltjer, and grumpinout1 reindaelman reindaelman
JorianWoltjer JorianWoltjer grumpinout1 grumpinout1
A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown... Moderate Unreviewed
CVE-2026-3026 was published Feb 23, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database