Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,908
Erlang
39
GitHub Actions
38
Go
2,568
Maven
5,000+
npm
4,240
NuGet
754
pip
4,004
Pub
12
RubyGems
953
Rust
1,042
Swift
45
Unreviewed advisories
All unreviewed
5,000+

379 advisories

Loading
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module Low
CVE-2025-62505 was published for @lobehub/chat (npm) Oct 17, 2025
im-soohyun
Credited to im-soohyun
Angular SSR has a Server-Side Request Forgery (SSRF) flaw High
CVE-2025-62427 was published for @angular/ssr (npm) Oct 16, 2025
meDavidNS securityMB
jkrems alan-agius4 josephperrott
Credited to meDavidNS, securityMB, jkrems, alan-agius4, and josephperrott
vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class High
CVE-2025-6242 was published for vllm (pip) Oct 7, 2025
kexinoh d3do-23
lonelyuan huachenheli DarkLight1337 russellb sidhpurwala-huzaifa
Credited to kexinoh, d3do-23, lonelyuan, huachenheli, DarkLight1337, russellb, and sidhpurwala-huzaifa
LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities High
CVE-2025-61784 was published for llamafactory (pip) Oct 7, 2025
d3do-23 kexinoh
lonelyuan
Credited to d3do-23, kexinoh, and lonelyuan
Apache Kylin Server-Side Request Forgery (SSRF) Vulnerability High
CVE-2025-61735 was published for org.apache.kylin:kylin (Maven) Oct 2, 2025
cors-anywhere vulnerable to server-side request forgery Critical
CVE-2020-36851 was published for cors-anywhere (npm) Sep 25, 2025
Dragonfly vulnerable to server-side request forgery High
CVE-2025-59346 was published for d7y.io/dragonfly/v2 (Go) Sep 17, 2025
gaius-qi
Credited to gaius-qi
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2025-59155 was published for hackmd-mcp (npm) Sep 15, 2025
yuna0x0
Credited to yuna0x0
Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark Moderate
CVE-2025-9862 was published for ghost (npm) Sep 15, 2025
FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability High
CVE-2025-59527 was published for flowise (npm) Sep 15, 2025
im-soohyun
Credited to im-soohyun
Liferay Portal is vulnerable to SSRF through custom object attachment fields Moderate
CVE-2025-43763 was published for com.liferay:com.liferay.object.service (Maven) Sep 9, 2025
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter High
CVE-2025-58179 was published for @astrojs/cloudflare (npm) Sep 4, 2025
ghostdevv monizb
alexanderniebuhr ascorbic ematipico delucis
Credited to ghostdevv, monizb, alexanderniebuhr, ascorbic, ematipico, and delucis
Mautic vulnerable to SSRF via webhook function Low
CVE-2025-9821 was published for mautic/core (Composer) Sep 3, 2025
asesidaa patrykgruszka
kuzmany lukehebe
Credited to asesidaa, patrykgruszka, kuzmany, and lukehebe
Next.js Improper Middleware Redirect Handling Leads to SSRF Moderate
CVE-2025-57822 was published for next (npm) Aug 29, 2025
medikoo prdngr
Credited to medikoo and prdngr
request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1 Moderate
CVE-2025-57814 was published for request-filtering-agent (npm) Aug 25, 2025
ikkisoft
Credited to ikkisoft
PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser High
CVE-2025-54370 was published for phpoffice/phpspreadsheet (Composer) Aug 25, 2025
Mattermost Server SSRF Vulnerability via the Agents Plugin Low
CVE-2025-47700 was published for github.com/mattermost/mattermost-server (Go) Aug 21, 2025
Apache EventMesh Vulnerable to Server-Side Request Forgery in WebhookUtil.java Moderate
CVE-2024-39954 was published for org.apache.eventmesh:eventmesh-runtime (Maven) Aug 20, 2025
WP Crontrol Authenticated (Administrator+) plugin vulnerable to Blind Server-Side Request Forgery Moderate
CVE-2025-8678 was published for johnbillion/wp-crontrol (Composer) Aug 19, 2025
jFriedli
Credited to jFriedli
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery Moderate
CVE-2025-4581 was published for com.liferay.portal:release.dxp.bom (Maven) Aug 9, 2025
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery Moderate
CVE-2025-4655 was published for com.liferay.portal:release.dxp.bom (Maven) Aug 9, 2025
Grafana Infinity Datasource Plugin SSRF Vulnerability Moderate
CVE-2025-8341 was published for github.com/grafana/grafana-infinity-datasource (Go) Aug 4, 2025
BentoML SSRF Vulnerability in File Upload Processing Critical
CVE-2025-54381 was published for bentoml (pip) Jul 29, 2025
geckosecurity jjjutla
nkoorty
Credited to geckosecurity, jjjutla, and nkoorty
webfinger.js Blind SSRF Vulnerability Moderate
CVE-2025-54590 was published for webfinger.js (npm) Jul 28, 2025
orihjfrog silverbucket
Credited to orihjfrog and silverbucket
ssrfcheck has Incomplete IP Address Deny List that leads to Server-Side Request Forgery Vulnerability High
CVE-2025-8267 was published for ssrfcheck (npm) Jul 28, 2025
lirantal
Credited to lirantal
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database