CVE-2026-7412

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

CVE-2026-7412

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

CVE-2026-7412

CVE-2026-7412 affects Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10. The Operation Delegation feature fails to validate the destination URI of delegated requests, enabling an unauthenticated remote attacker to coerce the BaSyx server into performing blind HTTP POSTs to arbitr...

CVE-2026-7412

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

CVE-2026-7412

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

CVE-2026-7412

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

PT-2026-37080

Name of the Vulnerable Software and Affected Versions Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 Description The Operation Delegation feature fails to validate the destination URI of delegated requests. This design flaw allows an unauthenticated remote attacker to force th...

CVE-2026-31878 Frappe: Possible SSRF by any authenticated user

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6...

CVE-2026-27600 HomeBox affected by Blind SSRF

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although...

Server-Side Request Forgery (SSRF)

Cowrie is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the wget and curl emulation making real outbound HTTP requests without rate limiting, which allows an attacker to repeatedly trigger requests and abuse the honeypot to generate denial-of-service traffic toward...

Server-side Request Forgery (SSRF)

Overview cors-anywhere is a CORS Anywhere is a reverse proxy which adds CORS headers to the proxied request. Request URL is taken from the path Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the proxy process. An attacker can access internal-only endpoint...

cors-anywhere 安全漏洞

cors-anywhere is a NodeJS reverse proxy by Rob Wu, a personal developer. A security vulnerability exists in cors-anywhere that stems from allowing an unauthenticated external user when configured as an open proxy to trick the server into making HTTP requests to arbitrary targets, which could lead...

Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory

...

cpython: python: Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory

A flaw was found in the Python tarfile module. This vulnerability allows attackers to bypass extraction filters, enabling symlink targets to escape the destination directory and allowing unauthorized modification of file metadata via the use of TarFile.extract or TarFile.extractall with the filte...

RSSHub vulnerable to Server-Side Request Forgery

Summary Serveral Server-Side Request Forgery SSRF vulnerabilities in RSSHub allow remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service DoS attacks. Details...

CVE-2023-41054

LibreY is a fork of LibreX, a framework-less and javascript-free privacy respecting meta search engine. LibreY is subject to a Server-Side Request Forgery SSRF vulnerability in the imageproxy.php file of LibreY before commit 8f9b9803f231e2954e5b49987a532d28fe50a627. This vulnerability allows remo...