CVE-2026-31955

CVE-2026-31955 affects Xibo CMS prior to 4.4.1. An authenticated SSRF vulnerability in the remote DataSet functionality allows users with DataSet permissions (and the privilege to add DataSets to Layouts) to cause the CMS server to issue arbitrary HTTP requests to internal or external resources. ...

CVE-2026-33534 EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery SSRF vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation e.g.,...

CVE-2026-32871

FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A vulnerabilit...

GHSA-6R7F-Q7F5-WPX8 Payload has Authenticated SSRF via Upload Functionality

Impact An authenticated Server-Side Request Forgery SSRF vulnerability existed in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. Consumers are affected if ALL of...

GHSA-VV7Q-7JX5-F767 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

Technical Description The OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A critical vulnerability exists in the buildurl method. When an OpenAPI...

EUVD-2019-6120

Malware in sbrugna...

EUVD-2024-46287

Malicious code in bioql PyPI...

BIT-REDASH-2020-12725

Havoc Research discovered an authenticated Server-Side Request Forgery SSRF via the "JSON" data source of Redash open-source 8.0.0 and prior. Possibly, other connectors are affected. The SSRF is potent and provides a lot of flexibility in terms of being able to craft HTTP requests e.g., by adding...

CVE-2021-37711

Shopware 6.x versions prior to 6.4.3.1 are vulnerable to an authenticated server-side request forgery (SSRF) via file upload by URL. The vulnerability is fixed in version 6.4.3.1. For older branches (6.1, 6.2, 6.3), security measures via a plugin are available as a workaround. No exploit details ...

CVE-2020-12725

Havoc Research discovered an authenticated Server-Side Request Forgery SSRF via the "JSON" data source of Redash open-source 8.0.0 and prior. Possibly, other connectors are affected. The SSRF is potent and provides a lot of flexibility in terms of being able to craft HTTP requests e.g., by adding...

CVE-2020-8118

CVE-2020-8118 describes an authenticated server-side request forgery (SSRF) in Nextcloud Server 16.0.1 . The vulnerability exists in the calendar application’s “add new subscription” workflow and permits an attacker to detect local and remote services. The connected documents consistently identif...

CVE-2019-15033

Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring...