Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,479
Maven
5,000+
npm
5,000+
NuGet
886
pip
4,740
Pub
13
RubyGems
1,031
Rust
1,225
Swift
53
Unreviewed advisories
All unreviewed
5,000+

2,087 advisories

Loading
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin... Moderate Unreviewed
CVE-2026-4979 was published Apr 11, 2026
rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration Moderate
GHSA-55v6-g8pm-pw4c was published for rembg (pip) Apr 10, 2026
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery... Moderate Unreviewed
CVE-2026-39921 was published Apr 10, 2026
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery... Moderate Unreviewed
CVE-2026-39922 was published Apr 10, 2026
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint High
CVE-2026-40242 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 10, 2026
msoneri Credited to msoneri
Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation Moderate
GHSA-r2x7-427f-rq69 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain Critical
CVE-2026-40175 was published for axios (npm) Apr 10, 2026
raulvdv Credited to raulvdv
PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API High
CVE-2026-40114 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAIAgents: SSRF via unvalidated URL in `web_crawl` httpx fallback High
CVE-2026-40160 was published for praisonaiagents (pip) Apr 10, 2026
Mundi-Xu Credited to Mundi-Xu
PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool High
CVE-2026-40150 was published for praisonaiagents (pip) Apr 10, 2026
offset Credited to offset
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering High
CVE-2026-40107 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
kodareef5 Credited to kodareef5
OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts Low
CVE-2026-6011 was published for openclaw (npm) Apr 10, 2026
Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) Moderate
GHSA-8j7f-g9gv-7jhc was published for openclaw (npm) Apr 10, 2026 withdrawn
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable Moderate
GHSA-w8g9-x8gx-crmm was published for openclaw (npm) Apr 9, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation Moderate
GHSA-vr5g-mmx7-h897 was published for openclaw (npm) Apr 9, 2026
ccreater222 Credited to ccreater222 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths Moderate
GHSA-3fv3-6p2v-gxwj was published for openclaw (npm) Apr 9, 2026
adithyan-ak Credited to adithyan-ak
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF Critical
CVE-2025-62718 was published for axios (npm) Apr 9, 2026
AmeerAssadi Credited to AmeerAssadi
api-lab-mcp vulnerable to SSRF Moderate
CVE-2026-5832 was published for api-lab-mcp (npm) Apr 9, 2026
A security flaw has been discovered in bigsk1 openai-realtime-ui up to... Moderate Unreviewed
CVE-2026-5803 was published Apr 8, 2026
n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode High
CVE-2026-39974 was published for n8n-mcp (npm) Apr 8, 2026
ibrahmsql Credited to ibrahmsql
mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications High
CVE-2026-39885 was published for @frontmcp/adapters (npm) Apr 8, 2026
TharVid Credited to TharVid and frontegg-david frontegg-david frontegg-david
Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure.... Moderate Unreviewed
CVE-2026-33458 was published Apr 8, 2026
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization... Moderate Unreviewed
CVE-2026-32591 was published Apr 8, 2026
A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by... Moderate Unreviewed
CVE-2026-2377 was published Apr 8, 2026
A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of... Critical Unreviewed
CVE-2026-31017 was published Apr 8, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database