GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
63 advisories
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
Critical
CVE-2026-22039
was published
for
github.com/kyverno/kyverno
(Go)
Jan 27, 2026
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
Critical
CVE-2025-67494
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
Soft Serve is vulnerable to SSRF through its Webhooks
Critical
CVE-2025-64522
was published
for
github.com/charmbracelet/soft-serve
(Go)
Nov 10, 2025
BentoML SSRF Vulnerability in File Upload Processing
Critical
CVE-2025-54381
was published
for
bentoml
(pip)
Jul 29, 2025
GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)
Critical
CVE-2024-34711
was published
for
org.geoserver.main:gs-main
(Maven)
Jun 10, 2025
LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback
Critical
CVE-2025-32013
was published
for
lnbits
(pip)
Apr 7, 2025
http4k has a potential XXE (XML External Entity Injection) vulnerability
Critical
CVE-2024-55875
was published
for
org.http4k:http4k-format-xml
(Maven)
Dec 12, 2024
NextChat has full-read SSRF and XSS vulnerability in /api/cors endpoint
Critical
CVE-2023-49785
was published
for
nextchat
(npm)
Aug 5, 2024
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
Critical
CVE-2024-32964
was published
for
@lobehub/chat
(npm)
May 10, 2024
SSRF vulnerability using the Aegis DataBinding in Apache CXF
Critical
CVE-2024-28752
was published
for
org.apache.cxf:cxf-rt-databinding-aegis
(Maven)
Mar 15, 2024
Ray has arbitrary code execution via jobs submission API
Critical
CVE-2023-48022
was published
for
ray
(pip)
Nov 28, 2023
ProTip!
Advisories are also available from the
GraphQL API