Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

89597 matches found

RedhatCVE
RedhatCVEadded 2026/05/15 7:57 p.m.12 views

CVE-2026-43879

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. Wh...

5.4CVSS5.8AI score0.00165EPSS
Exploits0References1
CVE
CVEadded 2026/05/15 7:22 p.m.21 views

CVE-2026-45331

CVE-2026-45331 concerns Open WebUI’s validate_url() in backend/open_webui/retrieval/web/utils.py, where a call to validators.ipv6(ip, private=True) raises a ValidationError due to the library not implementing the private keyword for IPv6. This causes IPv6 addresses to bypass the intended filter, ...

8.5CVSS5.8AI score0.00286EPSS
Exploits1References1Affected Software1
NVD
NVDadded 2026/05/15 7:16 p.m.18 views

CVE-2021-47958

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal service...

5.3CVSS0.00238EPSS
Exploits0References3
EUVD
EUVDadded 2026/05/15 6:36 p.m.7 views

EUVD-2021-34813

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal service...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References3
Vulnrichment
Vulnrichmentadded 2026/05/15 6:36 p.m.11 views

CVE-2021-47958 CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal service...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References3
CVE
CVEadded 2026/05/15 6:36 p.m.16 views

CVE-2021-47958

CVE-2021-47958 affects CouchCMS 2.2.1 and is a server-side request forgery via SVG upload. An authenticated attacker can upload SVG files containing external entity references through the browse.php endpoint to trigger arbitrary HTTP requests from the server, enabling access to internal services ...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References3
Cvelist
Cvelistadded 2026/05/15 6:36 p.m.34 views

CVE-2021-47958 CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal service...

5.3CVSS0.00238EPSS
Exploits0References3
ATTACKERKB
ATTACKERKBadded 2026/05/15 6:36 p.m.9 views

CVE-2021-47958

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal service...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References3Affected Software1
Snyk
Snykadded 2026/05/15 6:35 p.m.10 views

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the isSSRFSafeURL process. An attacker can access internal network resources or sensitive information by exploiting DNS rebindi...

8.3CVSS5.8AI score0.00136EPSS
Exploits0References3
Snyk
Snykadded 2026/05/15 6:34 p.m.8 views

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the set.json.php process. An attacker can disable a user's two-factor authentication by tricking a logged-in user into...

6.9CVSS5.8AI score0.0011EPSS
Exploits0References3
Github Security Blog
Github Security Blogadded 2026/05/15 6:34 p.m.16 views

AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA

Summary Type: Cross-site request forgery on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest call, no isTokenValid check, n...

6.5CVSS5.9AI score0.0011EPSS
Exploits0References3Affected Software1
Snyk
Snykadded 2026/05/15 5:53 p.m.9 views

Server-side Request Forgery (SSRF)

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the req function. An attacker can access internal services and sensitive cloud metadata by leveraging HTTP redirects through an attacker-controlled server,...

7.7CVSS5.8AI score0.00258EPSS
Exploits0References2
Snyk
Snykadded 2026/05/15 5:47 p.m.10 views

Server-side Request Forgery (SSRF)

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the processUrlFile function. An attacker can access internal network resources and sensitive cloud metadata by supplying crafted URLs that target internal or...

7.7CVSS5.8AI score0.00258EPSS
Exploits0References2
Github Security Blog
Github Security Blogadded 2026/05/15 5:47 p.m.16 views

Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetchfileUrl directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticate...

7.7CVSS5.8AI score0.00258EPSS
Exploits0References4Affected Software1
OSV
OSVadded 2026/05/15 5:47 p.m.5 views

GHSA-RPJ4-7X2V-WJRF Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetchfileUrl directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticate...

7.7CVSS5.8AI score0.00258EPSS
Exploits0References4
Snyk
Snykadded 2026/05/15 5:33 p.m.9 views

Cross-site Request Forgery (CSRF)

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF when building an errorURL in parseGenericState, when the storeStateStrategy is set to "cookie" and PKCE is disabled. An...

5.9CVSS5.9AI score
Exploits0References3
NVD
NVDadded 2026/05/15 5:16 p.m.11 views

CVE-2026-44699

LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid...

9.1CVSS0.00209EPSS
Exploits0References1
UbuntuCve
UbuntuCveadded 2026/05/15 5:16 p.m.7 views

CVE-2026-44699

LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid...

9.1CVSS5.8AI score0.00209EPSS
Exploits0References2
OSV
OSVadded 2026/05/15 5:16 p.m.10 views

UBUNTU-CVE-2026-44699

LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid...

9.1CVSS5.8AI score0.00209EPSS
Exploits0References3
GithubExploit
GithubExploitadded 2026/05/15 5:14 p.m.100 views

Exploit for Server-Side Request Forgery in Vercel Next.Js

nextjs-cve-2026-44578 Nuclei templates for detecting...

8.6CVSS5.8AI score0.37756EPSS
Exploits9
Rows per page
Query Builder