Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

41 advisories

Loading
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes High
CVE-2026-45741 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
yuui25 Credited to yuui25
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification High
CVE-2026-46717 was published for github.com/nezhahq/nezha (Go) May 23, 2026
Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy) High
CVE-2026-45298 was published for github.com/amir20/dozzle (Go) May 18, 2026
Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass High
CVE-2026-42595 was published for github.com/gotenberg/gotenberg/v8 (Go) May 11, 2026
AyushParkara Credited to AyushParkara
Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo High
GHSA-8mc6-xjpr-h98x was published for github.com/lin-snow/ech0 (Go) May 7, 2026
Gotenberg has a Server-Side Request Forgery (SSRF) Issue High
CVE-2026-42591 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
kakarotsec Credited to kakarotsec
QuantumNous/new-api has an SSRF Filter Bypass via 0.0.0.0 High
CVE-2026-42339 was published for github.com/QuantumNous/new-api (Go) May 6, 2026
MeeseeksX Credited to MeeseeksX
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection High
CVE-2026-40280 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
morimori-dev Credited to morimori-dev
Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services High
CVE-2026-44015 was published for github.com/0xJacky/Nginx-UI (Go) Apr 29, 2026
miffyaa Credited to miffyaa
monetr: Server-side request forgery in Lunch Flow link creation and refresh High
CVE-2026-41644 was published for github.com/monetr/monetr (Go) Apr 22, 2026
elliotcourant Credited to elliotcourant
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL High
CVE-2026-41323 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity
Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access High
CVE-2026-4789 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
iggypopi Credited to iggypopi and stepanskyigor-orca stepanskyigor-orca stepanskyigor-orca
Kyverno APICall SSRF Vulnerability Leading to Multi-Tenant Isolation Breach High
GHSA-fmqp-4wfc-w3v7 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
Kyverno has unrestricted outbound requests in Kyverno apiCall enabling SSRF High
GHSA-qr4g-8hrp-c4rw was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
scumfrog Credited to scumfrog
Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server High
CVE-2026-34476 was published for github.com/apache/skywalking-mcp (Go) Apr 13, 2026
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint High
CVE-2026-40242 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 10, 2026
msoneri Credited to msoneri
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering High
CVE-2026-40107 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
kodareef5 Credited to kodareef5
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm High
CVE-2026-33540 was published for github.com/distribution/distribution (Go) Apr 6, 2026
1seal Credited to 1seal
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata High
CVE-2026-35037 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
offset Credited to offset
Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature High
CVE-2026-35036 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
VashuVats Credited to VashuVats
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3) High
CVE-2026-27018 was published for github.com/gotenberg/gotenberg/v7 (Go) Mar 30, 2026
q1uf3ng Credited to q1uf3ng
SiYuan has a Full-Read SSRF via /api/network/forwardProxy High
CVE-2026-32110 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 12, 2026
ritikchaddha Credited to ritikchaddha and neo-ai-engineer neo-ai-engineer neo-ai-engineer
WeKnora has DNS Rebinding Vulnerability in web_fetch Tool that Allows SSRF to Internal Resources High
CVE-2026-30858 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102 and Haruna38 Haruna38 Haruna38
PinchTab has SSRF with Full Response Exfiltration via Download Handler High
CVE-2026-30834 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route High
CVE-2026-27730 was published for github.com/esm-dev/esm.sh (Go) Feb 25, 2026
poppo25 Credited to poppo25
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database