豆豆友情提示:这是一个非官方 GitHub 代理镜像,主要用于网络测试或访问加速。请勿在此进行登录、注册或处理任何敏感信息。进行这些操作请务必访问官方网站 github.com。 Raw 内容也通过此代理提供。
Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

91 advisories

Loading
HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS Moderate
CVE-2026-5052 was published for github.com/hashicorp/vault (Go) Apr 17, 2026
Istio: SSRF via RequestAuthentication jwksUri Moderate
GHSA-fgw5-hp8f-xfhc was published for istio.io/istio (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity, 1seal, and AKiileX 1seal 1seal
AKiileX AKiileX
Kyverno: ServiceAccount token leaked to external servers via apiCall service URL High
GHSA-f9g8-6ppc-pqq4 was published for github.com/kyverno/kyverno (Go) Apr 16, 2026
KoreaSecurity Credited to KoreaSecurity
Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access High
CVE-2026-4789 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
iggypopi Credited to iggypopi and stepanskyigor-orca stepanskyigor-orca stepanskyigor-orca
Kyverno APICall SSRF Vulnerability Leading to Multi-Tenant Isolation Breach High
GHSA-fmqp-4wfc-w3v7 was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
b0b0haha Credited to b0b0haha and j311yl0v3u j311yl0v3u j311yl0v3u
Kyverno has unrestricted outbound requests in Kyverno apiCall enabling SSRF High
GHSA-qr4g-8hrp-c4rw was published for github.com/kyverno/kyverno (Go) Apr 14, 2026
scumfrog Credited to scumfrog
Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server High
CVE-2026-34476 was published for github.com/apache/skywalking-mcp (Go) Apr 13, 2026
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint High
CVE-2026-40242 was published for github.com/getarcaneapp/arcane/backend (Go) Apr 10, 2026
msoneri Credited to msoneri
Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation Moderate
GHSA-r2x7-427f-rq69 was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
offset Credited to offset
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering High
CVE-2026-40107 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
kodareef5 Credited to kodareef5
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm High
CVE-2026-33540 was published for github.com/distribution/distribution (Go) Apr 6, 2026
1seal Credited to 1seal
Casdoor vulnerable to SSRF via crafted Webhook URL Moderate
CVE-2026-5469 was published for github.com/casdoor/casdoor (Go) Apr 3, 2026
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata High
CVE-2026-35037 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
offset Credited to offset
Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature High
CVE-2026-35036 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
VashuVats Credited to VashuVats
Duplicate Advisory: Kyverno is vulnerable to server-side request forgery (SSRF) Moderate
GHSA-qqrv-2hch-83q4 was published for github.com/kyverno/kyverno (Go) Mar 30, 2026 withdrawn
Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF) Moderate
CVE-2026-33990 was published for github.com/docker/model-runner (Go) Mar 30, 2026
davidrxchester Credited to davidrxchester
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3) High
CVE-2026-27018 was published for github.com/gotenberg/gotenberg/v7 (Go) Mar 30, 2026
q1uf3ng Credited to q1uf3ng
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download Moderate
CVE-2026-33679 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources Moderate
CVE-2026-33675 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl Moderate
CVE-2026-33619 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
mean3374 Credited to mean3374
PinchTab has a Blind SSRF via browser-side redirect bypass in /download URL validation Moderate
CVE-2026-33081 was published for github.com/pinchtab/pinchtab (Go) Mar 18, 2026
Yesuhei Credited to Yesuhei
Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration Moderate
CVE-2026-32828 was published for github.com/akuity/kargo (Go) Mar 16, 2026
maru1009 Credited to maru1009 and krancour krancour krancour
Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Moderate
CVE-2026-2455 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL Critical
CVE-2026-32301 was published for github.com/centrifugal/centrifugo (Go) Mar 13, 2026
VarshankNaik Credited to VarshankNaik
SiYuan has a Full-Read SSRF via /api/network/forwardProxy High
CVE-2026-32110 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 12, 2026
ritikchaddha Credited to ritikchaddha and neo-ai-engineer neo-ai-engineer neo-ai-engineer
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database