GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
2,106 advisories
Craft CMS has a host header injection leading to SSRF via resource-js endpoint
Moderate
GHSA-95wr-3f2v-v2wh
was published
for
craftcms/cms
(Composer)
Apr 14, 2026
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
Moderate
GHSA-3m9m-24vh-39wx
was published
for
craftcms/cms
(Composer)
Apr 14, 2026
Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection
High
GHSA-4x48-cgf9-q33f
was published
for
@novu/api
(npm)
Apr 14, 2026
WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
High
GHSA-j432-4w3j-3w8j
was published
for
wwbn/avideo
(Composer)
Apr 14, 2026
Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access
High
CVE-2026-4789
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
Kyverno APICall SSRF Vulnerability Leading to Multi-Tenant Isolation Breach
High
GHSA-fmqp-4wfc-w3v7
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
Kyverno has unrestricted outbound requests in Kyverno apiCall enabling SSRF
High
GHSA-qr4g-8hrp-c4rw
was published
for
github.com/kyverno/kyverno
(Go)
Apr 14, 2026
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint
High
CVE-2026-40242
was published
for
github.com/getarcaneapp/arcane/backend
(Go)
Apr 10, 2026
Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation
Moderate
GHSA-r2x7-427f-rq69
was published
for
github.com/lin-snow/ech0
(Go)
Apr 10, 2026
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Critical
CVE-2026-40175
was published
for
axios
(npm)
Apr 10, 2026
ProTip!
Advisories are also available from the
GraphQL API