Lucene search
K

89765 matches found

Vulnrichment
Vulnrichment
added 2026/05/05 7:52 p.m.13 views

CVE-2026-40280 Gotenberg SSRF via case-insensitive URL scheme bypass in webhook and downloadFrom deny-lists

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression ^https?:// to match URL schemes. Because Go's net/url.Parse normalizes...

7.8CVSS5.7AI score0.00463EPSS
Exploits1References3
CVE
CVE
added 2026/05/05 7:52 p.m.19 views

CVE-2026-40280

Gotenberg vulnerability (CVE-2026-40280) enables SSRF through a case-insensitive URL scheme bypass in the webhook and api-download-from deny-lists. In versions

7.8CVSS5.7AI score0.00463EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/05/05 7:32 p.m.8 views

EUVD-2026-27073

XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery SSRF via 'server' parameter...

4.4CVSS5.8AI score0.00151EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/05 7:32 p.m.13 views

XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter

Impact The PlantUML Macro is vulnerable to Server-Side Request Forgery SSRF. The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious externa...

4.4CVSS5.9AI score0.00151EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/05/05 7:22 p.m.37 views

CVE-2026-34084 PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

9.2CVSS0.00712EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/05 7:22 p.m.5 views

CVE-2026-34084 PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...

9.2CVSS6.4AI score0.00712EPSS
Exploits1References1
CVE
CVE
added 2026/05/05 7:22 p.m.36 views

CVE-2026-34084

CVE-2026-34084 describes a vulnerability in PhpSpreadsheet where IOFactory::load() with a user-controlled filename can pass PHP stream wrappers (phar://, ftp://, ssh2.sftp://) to is_file(), triggering PHAR deserialization and potential remote code execution if an appropriate gadget chain exists. ...

9.8CVSS6.4AI score0.00712EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/05 7:19 p.m.7 views

CVE-2026-33975

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

8.3CVSS5.8AI score0.0024EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/05 7:19 p.m.9 views

EUVD-2026-27452

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

8.3CVSS5.8AI score0.0024EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/05 7:19 p.m.40 views

CVE-2026-33975 twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

8.3CVSS0.0024EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/05 7:19 p.m.13 views

CVE-2026-33975 twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

8.3CVSS5.8AI score0.0024EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/05 7:13 p.m.7 views

AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content

Summary objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not end in .json.php, so it is excluded from the project's global autoCSRFGuard...

5.4CVSS6.1AI score0.00121EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/05 7:13 p.m.7 views

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the userSavePhoto.php process. An attacker can overwrite authenticated users' profile photos with arbitrary content and trigger...

5.4CVSS5.9AI score0.00121EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/05 6:33 p.m.9 views

Eclipse BaSyx Java Server SDK vulnerable to Server-Side Request Forgery

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

8.6CVSS6.3AI score0.00516EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/05 6:33 p.m.5 views

GHSA-GX3V-WXFJ-8H24 Eclipse BaSyx Java Server SDK vulnerable to Server-Side Request Forgery

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

8.6CVSS6.3AI score0.00516EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/05 6:21 p.m.9 views

Server-side Request Forgery (SSRF)

Overview firefighter-incident is an Incident Management tool made for Slack using Django Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the CreateJiraBotView class. An attacker can access internal resources and exfiltrate sensitive data by submitting...

9.9CVSS5.9AI score0.00272EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/05 6:10 p.m.16 views

Cross-site Request Forgery (CSRF)

Overview jupyterhub is a JupyterHub: A multi-user server for Jupyter notebooks Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the handling of HTTP form endpoints when requests with the Sec-Fetch-Mode: no-cors header are incorrectly treated as same-origin,...

9.6CVSS5.7AI score0.00159EPSS
Exploits1References2
OSV
OSV
added 2026/05/05 6:10 p.m.4 views

GHSA-M68R-V472-JGQ9 JupyterHub has cross-origin form POSTs bypass XSRF (CWE-352)

Summary JupyterHub's XSRF protection updated in 4.1.0 inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, which they are not, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attacke...

5.4CVSS5.8AI score0.00159EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/05 5:51 p.m.9 views

edx-enterprise has SSRF via SAML metadata URL in sync_provider_data endpoint

Summary The syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the SAMLProviderConfigViewSet PATCH endpoint, then trigger...

8.5CVSS6.1AI score0.00301EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/05/05 5:51 p.m.14 views

Server-side Request Forgery (SSRF)

Overview edx-enterprise is a Your project description goes here Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the syncproviderdata function. An attacker can cause the server to make arbitrary HTTP requests to internal or external resources by supplying a...

8.5CVSS5.9AI score0.00301EPSS
Exploits1References2
Rows per page
Query Builder