Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

116 advisories

Loading
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) Low
CVE-2026-44589 was published for nuxt-og-image (npm) May 7, 2026
b-hermes Credited to b-hermes
@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts High
GHSA-jxh8-jh77-xh6g was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE) High
GHSA-cfcj-hqpf-hccf was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname` High
CVE-2026-42260 was published for open-websearch (npm) May 5, 2026
shmulc8 Credited to shmulc8
FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft Critical
CVE-2026-42864 was published for firefighter-incident (pip) May 5, 2026
In the Linux kernel, the following vulnerability has been resolved: bpf: sockmap: Fix use-after... High Unreviewed
CVE-2026-43016 was published May 1, 2026
Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) Low
CVE-2026-41321 was published for @astrojs/cloudflare (npm) Apr 23, 2026
kodareef5 Credited to kodareef5
Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write High
CVE-2026-42075 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations Moderate
CVE-2026-42077 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
justhtml has sanitization bypass in custom policies and programmatic DOM Moderate
GHSA-vrx2-77f2-ww34 was published for justhtml (pip) Apr 22, 2026
EmilStenstrom Credited to EmilStenstrom
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters Moderate
CVE-2026-41650 was published for fast-xml-parser (npm) Apr 22, 2026
TharVid Credited to TharVid
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection High
GHSA-2r2p-4cgf-hv7h was published for engramx (npm) Apr 22, 2026
gabiudrescu Credited to gabiudrescu
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints High
CVE-2026-34403 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
CE2Sec Credited to CE2Sec
Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains High
CVE-2026-41271 was published for flowise (npm) Apr 16, 2026
wsparks-vc Credited to wsparks-vc
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) High
CVE-2026-41272 was published for flowise (npm) Apr 16, 2026
ESPanda666 Credited to ESPanda666 and JLLeitschuh JLLeitschuh JLLeitschuh
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox High
CVE-2026-41270 was published for flowise (npm) Apr 16, 2026
Sn1r Credited to Sn1r
Flowise: Code Injection in CSVAgent leads to Authenticated RCE Critical
CVE-2026-41137 was published for flowise (npm) Apr 16, 2026
supriza Credited to supriza
Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using `Pandas`. High
CVE-2026-41138 was published for flowise (npm) Apr 16, 2026
LIFE-team2024 Credited to LIFE-team2024
Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure) Moderate
GHSA-qqvm-66q4-vf5c was published for flowise (npm) Apr 16, 2026
ESPanda666 Credited to ESPanda666
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context Moderate
CVE-2026-33889 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins Moderate
CVE-2026-40346 was published for @nocobase/plugin-workflow-request (npm) Apr 15, 2026
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks Critical
CVE-2026-40911 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
Kyverno APICall SSRF Vulnerability Leading to Multi-Tenant Isolation Breach High
GHSA-fmqp-4wfc-w3v7 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering High
CVE-2026-40107 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
kodareef5 Credited to kodareef5
rfc3161-client Has Improper Certificate Validation Moderate
CVE-2026-33753 was published for rfc3161-client (pip) Apr 8, 2026
Jaynornj Credited to Jaynornj
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database