Lucene search
K

381 matches found

ATTACKERKB
ATTACKERKB
added 2026/04/22 9:22 p.m.6 views

CVE-2026-41172

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as ...

8.6CVSS5.8AI score0.00215EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/22 9:22 p.m.16 views

CVE-2026-41172

Squidex (open source headless CMS) is affected by an SSRF vulnerability in asset uploads prior to version 7.23.0. A user with asset upload permission can cause the server to fetch arbitrary URLs (including localhost/private network targets) and persist the response as an asset. The issue is fixed...

8.6CVSS5.8AI score0.00215EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/22 7:57 p.m.11 views

monetr: Server-side request forgery in Lunch Flow link creation and refresh

Impact A server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream response...

8.3CVSS6.1AI score0.00331EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.8 views

PT-2026-34570

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as ...

8.6CVSS5.8AI score0.00215EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.12 views

Squidex 代码问题漏洞

Squidex is an open-source content management system developed by Squidex. Versions of Squidex prior to 7.23.0 had code vulnerabilities. These vulnerabilities were caused by a server-side request forgeing issue, allowing users with asset upload permissions to force the server to obtain arbitrary...

8.6CVSS6AI score0.00215EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.12 views

PT-2026-34611

Name of the Vulnerable Software and Affected Versions monetr versions prior to 1.12.5 Description A server-side request forgery SSRF issue in the Lunch Flow integration allows authenticated users on self-hosted instances to force the server to send HTTP GET requests to arbitrary URLs. The respons...

8.3CVSS5.9AI score0.00331EPSS
Exploits0References10
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.22 views

Squidex 代码问题漏洞

Squidex is an open-source content management system developed by Squidex. Versions of Squidex prior to 7.23.0 had code vulnerabilities. These vulnerabilities stemmed from the RestoreController.PostRestoreJob endpoint, which allowed administrators to download backup archives from arbitrary URLs,...

8.5CVSS6AI score0.00238EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/20 4:4 p.m.5 views

EUVD-2026-23893

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...

5.8CVSS5.9AI score0.00203EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/20 12:0 a.m.11 views

PT-2026-33790

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...

5.8CVSS5.9AI score0.00203EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/15 10:30 p.m.6 views

Server-side Request Forgery (SSRF)

Overview processwire/processwire is a CMS/CMF. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the Add Module From URL process. An attacker can access internal network resources and sensitive endpoints by supplying arbitrary URLs to the module download...

6.8CVSS5.9AI score0.00385EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 8:6 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the APICall feature. An attacker can access sensitive internal resources and exfiltrate confidential data by supplying arbitrary URLs to the APICall feature, which are executed with elevated privilege...

7.7CVSS5.9AI score
Exploits0References2
OSV
OSV
added 2026/04/10 9:31 p.m.8 views

GHSA-V8F7-CG9P-W5JX Duplicate Advisory: GeoNode contains a server-side request forgery vulnerability in the service registration endpoint

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hw9r-6m78-w6h3. This link is maintained to preserve external references. Original Description GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability in the...

6.3CVSS5.5AI score0.00172EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/10 8:34 p.m.5 views

CVE-2026-40242

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation...

7.2CVSS5.8AI score0.00621EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2026/04/10 8:16 p.m.23 views

PYSEC-2026-61

GeoNode versions 4.4.5 and 5.0.2 and prior within their respective releases contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL durin...

6.3CVSS5.9AI score0.00172EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/04/10 8:16 p.m.15 views

CVE-2026-39922

GeoNode versions 4.4.5 and 5.0.2 and prior within their respective releases contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL durin...

6.3CVSS0.00172EPSS
Exploits0References2
NVD
NVD
added 2026/04/10 8:16 p.m.5 views

CVE-2026-30232

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any I...

9.6CVSS0.00242EPSS
Exploits0References2
CVE
CVE
added 2026/04/10 7:53 p.m.21 views

CVE-2026-39922

CVE-2026-39922 affects GeoNode 4.x (pre-4.4.5) and 5.x (pre-5.0.2). The issue is a server-side request forgery in the service registration endpoint, allowing authenticated attackers to submit crafted service URLs to trigger outbound requests to arbitrary URLs via the WMS service handler, bypassin...

6.3CVSS5.5AI score0.00172EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/10 7:22 p.m.4 views

CVE-2026-39985

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS,...

6.1CVSS5.9AI score0.00204EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/10 7:15 p.m.3 views

CVE-2026-30232

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any I...

7.8CVSS5.9AI score0.00242EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/10 7:15 p.m.4 views

CVE-2026-30232 Chartbrew has SSRF in API Data Connection - No IP Validation on User-Provided URLs

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any I...

7.8CVSS5.9AI score0.00242EPSS
Exploits0References2
Rows per page
Query Builder