GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,987 advisories
OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)
High
GHSA-rhfg-j8jq-7v2h
was published
for
openclaw
(npm)
Mar 29, 2026
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
Critical
CVE-2026-33992
was published
for
pyload-ng
(pip)
Mar 27, 2026
Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader
High
GHSA-89v5-38xr-9m4j
was published
for
postiz
(npm)
Mar 27, 2026
Postiz App has a High-Severity SSRF Vulnerability via Next.js
High
GHSA-vj2p-7pgw-g2wf
was published
for
postiz
(npm)
Mar 27, 2026
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints
Moderate
CVE-2026-33766
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation
Low
CVE-2026-4874
was published
for
org.keycloak:keycloak-services
(Maven)
Mar 26, 2026
Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL
Moderate
CVE-2026-33182
was published
for
saloonphp/saloon
(Composer)
Mar 25, 2026
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
Moderate
CVE-2026-33679
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources
Moderate
CVE-2026-33675
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()
Moderate
CVE-2026-33693
was published
for
activitypub_federation
(Rust)
Mar 25, 2026
ProTip!
Advisories are also available from the
GraphQL API