Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,534 advisories

Loading
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs High
CVE-2026-33655 was published for github.com/QuantumNous/new-api (Go) Jul 7, 2026
b-hermes Credited to b-hermes
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write High
GHSA-qrwj-vh9x-gw5v was published for github.com/coder/coder/v2 (Go) Jul 6, 2026
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile Moderate
CVE-2026-54637 was published for d7y.io/dragonfly/v2 (Go) Jul 6, 2026
tonghuaroot Credited to tonghuaroot and gaius-qi gaius-qi gaius-qi
tonghuaroot Credited to tonghuaroot
A flaw has been found in AIAnytime Awesome-MCP-Server up to... Low Unreviewed
CVE-2026-14748 was published Jul 5, 2026
Mautic Focus component Vulnerable to SSRF Moderate
CVE-2026-9557 was published for mautic/core (Composer) Jul 2, 2026
r1beirin Credited to r1beirin, patrykgruszka, dungNHVhust, and escopecz patrykgruszka patrykgruszka
dungNHVhust dungNHVhust escopecz escopecz
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch Moderate
GHSA-j5qp-p44g-2m49 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction Moderate
GHSA-2944-57xv-2682 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range) Moderate
GHSA-xw57-23p8-9wc5 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request High
CVE-2026-50288 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
OpenClaw's browser act interactions could bypass private-network navigation checks Moderate
CVE-2026-53812 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
Subscriber Server Side Request Forgery (SSRF) in GeoDirectory <= 2.8.161 versions. Moderate Unreviewed
CVE-2026-57681 was published Jul 2, 2026
ProTip! Advisories are also available from the GraphQL API