CVE-2026-41644 monetr is vulnerable to server-side request forgery in Lunch Flow link creation and refresh

monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs...

CVE-2026-41644

CVE-2026-41644 – SSRF in monetr Lunch Flow : The vulnerability occurs in the Lunch Flow link creation/refresh endpoint (POST /api/lunch_flow/link) of self-hosted monetr installations where LunchFlow.Enabled is true and sign-ups are allowed. An authenticated user can cause the server to fetch arbi...

CVE-2026-41644

monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs...

CVE-2026-41644 monetr is vulnerable to server-side request forgery in Lunch Flow link creation and refresh

monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...

monetr: Server-side request forgery in Lunch Flow link creation and refresh

Impact A server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream response...

OPENSUSE-SU-2026:10523-1 clusterctl-1.12.5-1.1 on GA media

These are all security issues fixed in the clusterctl-1.12.5-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2023-25052

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Teplitsa Yandex.News Feed by Teplitsa plugin = 1.12.5 versions...

CVE-2022-31020

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...

CVE-2025-13543 PostGallery <= 1.12.5 - Authenticated (Subscriber+) Arbitrary File Upload

The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above...

CVE-2025-13543

CVE-2025-13543 affects the WordPress plugin PostGallery (versions

CVE-2025-13543 PostGallery <= 1.12.5 - Authenticated (Subscriber+) Arbitrary File Upload

The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above...

CVE-2025-59163

vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE...

CVE-2025-59163 vet MCP Server SSE Transport DNS Rebinding Vulnerability

vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE...

CVE-2025-59163 vet MCP Server SSE Transport DNS Rebinding Vulnerability

vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE...

CVE-2025-59163

CVE-2025-59163 describes a DNS rebinding vulnerability in the vet MCP Server SSE Transport within the open-source vet tool (github.com/safedep/vet). The issue arises from missing validation of HTTP Host and Origin headers, enabling remote attackers to access data from the vet scan sqlite3 databas...

CVE-2025-59163 vet MCP Server SSE Transport DNS Rebinding Vulnerability

vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE...

PT-2025-39909

Name of the Vulnerable Software and Affected Versions vet versions prior to 1.12.5 Description The software is susceptible to a DNS rebinding attack because of missing HTTP Host and Origin header validation. When used as an MCP server in SSE mode with default ports, the sqlite3 database containin...

CVE-2020-14144

The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLEGITHOOKS line i...

Revic Optics Revic Ops 安全漏洞

Revic Optics Revic Ops is a free ballistic calculator from Revic Optics. A security vulnerability exists in Revic Optics Revic Ops version 1.12.5, which stems from the inclusion of a vulnerability that would allow a remote attacker to obtain sensitive information through the firmware update proce...