ROOT-APP-NPM-CVE-2022-0235 CVE-2022-0235 in @rootio/node-fetch - Patched by Root

Root has patched CVE-2022-0235 in the @rootio/node-fetch package for Root:npm. Multiple fixed versions available...

GHSA-777C-7FJR-54VF Allocation of Resources Without Limits or Throttling in Axios

Summary Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies large...

GHSA-PR28-MF3Q-QPG6 Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget

Summary ApostropheCMS contains an authenticated server-side request forgery SSRF in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses,...

CVE-2022-26523

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service memory corruption and OS crash due to a double fetch vulnerability at aswArPot+0xbb94...

Astra Linux - уязвимость в ansible

A flaw was discovered in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then select a new destination path on the controller node. All versions under 2.7.x, 2.8.x, and 2.9.x branches are believed to be vulnerable...

PT-2026-35655

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request...

Server-side Request Forgery (SSRF)

Overview @astrojs/cloudflare is a Deploy your site to Cloudflare Workers/Pages Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in image-binding-transform endpoint. An attacker can cause the server to make unauthorized requests to arbitra...

GHSA-QXGF-HMCJ-3XW3 OpenClaw affected by SSRF via unguarded image download in fal provider

Summary The fal provider used raw fetches for both provider API traffic and returned image download URLs instead of the existing SSRF-guarded fetch path. Impact A malicious or compromised fal relay could make the gateway fetch internal URLs and expose metadata or internal service responses throug...

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch process in multiple channel extensions when outbound requests are made to configured base URLs without proper validation. An attacker can...

GHSA-J77H-RR39-C552 Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL

Summary Centrifugo is vulnerable to Server-Side Request Forgery SSRF when configured with a dynamic JWKS endpoint URL using template variables e.g. tenant. An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the...

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the webfetch process when environment proxy variables are configured. An attacker can access internal or private network resources by supplying...

CVE-2026-27488

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in the cron webhook delivery process. An attacker can access internal or private network resources by specifying malicious webhook...

MiracleLinux 8 : go-toolset:rhel8 (AXSA:2024-7550:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7550:01 advisory. golang: net/http/internal: Denial of Service DoS via Resource Consumption via HTTP requests CVE-2023-39326 golang: cmd/go: Protocol Fallback when...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-002581)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002581 advisory. The sndmsndinterrupt function in sound/isa/msnd/msndpinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service over-boundary acces...

CVE-2021-22041

VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host...

CVE-2019-20610

An issue was discovered on Samsung mobile devices with N7.X and O8.X Exynos 7570, 7870, 7880, 7885, 8890, 8895, and 9810 chipsets software. A double-fetch vulnerability in Trustlet allows arbitrary TEE code execution. The Samsung ID is SVE-2019-13910 April 2019...

Fetch 安全漏洞

Fetch is an FTP file transfer client from Fetch USA. A security vulnerability exists in Fetch version 5.8.2, which stems from consuming 100% CPU while processing an extremely long server response, which may result in a denial of service...

CVE-2025-65513

fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery SSRF vulnerability, which allows attackers to bypass private IP validation and access internal network resources...

@jbrowse/core (>=1.4.0 <=1.7.3), @persistr/js (>=3.6.3 <=3.14.0) +5 more potentially affected by unknown CVE via tenacious-fetch (=2.3.1)

tenacious-fetch NPM version =2.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on tenacious-fetch and may be impacted: - @jbrowse/core =1.4.0, =3.6.3, =1.0.5, =1.0.0, =1.2.0 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191023...