89765 matches found
CVE-2026-40280 Gotenberg SSRF via case-insensitive URL scheme bypass in webhook and downloadFrom deny-lists
Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression ^https?:// to match URL schemes. Because Go's net/url.Parse normalizes...
CVE-2026-40280
Gotenberg vulnerability (CVE-2026-40280) enables SSRF through a case-insensitive URL scheme bypass in the webhook and api-download-from deny-lists. In versions
EUVD-2026-27073
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery SSRF via 'server' parameter...
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter
Impact The PlantUML Macro is vulnerable to Server-Side Request Forgery SSRF. The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious externa...
CVE-2026-34084 PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...
CVE-2026-34084 PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load is user-controlled, an attacker can supply a PHP stream...
CVE-2026-34084
CVE-2026-34084 describes a vulnerability in PhpSpreadsheet where IOFactory::load() with a user-controlled filename can pass PHP stream wrappers (phar://, ftp://, ssh2.sftp://) to is_file(), triggering PHAR deserialization and potential remote code execution if an appropriate gadget chain exists. ...
CVE-2026-33975
Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...
EUVD-2026-27452
Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...
CVE-2026-33975 twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization
Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...
CVE-2026-33975 twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization
Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
Summary objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not end in .json.php, so it is excluded from the project's global autoCSRFGuard...
Cross-site Request Forgery (CSRF)
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the userSavePhoto.php process. An attacker can overwrite authenticated users' profile photos with arbitrary content and trigger...
Eclipse BaSyx Java Server SDK vulnerable to Server-Side Request Forgery
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...
GHSA-GX3V-WXFJ-8H24 Eclipse BaSyx Java Server SDK vulnerable to Server-Side Request Forgery
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...
Server-side Request Forgery (SSRF)
Overview firefighter-incident is an Incident Management tool made for Slack using Django Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the CreateJiraBotView class. An attacker can access internal resources and exfiltrate sensitive data by submitting...
Cross-site Request Forgery (CSRF)
Overview jupyterhub is a JupyterHub: A multi-user server for Jupyter notebooks Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the handling of HTTP form endpoints when requests with the Sec-Fetch-Mode: no-cors header are incorrectly treated as same-origin,...
GHSA-M68R-V472-JGQ9 JupyterHub has cross-origin form POSTs bypass XSRF (CWE-352)
Summary JupyterHub's XSRF protection updated in 4.1.0 inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, which they are not, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attacke...
edx-enterprise has SSRF via SAML metadata URL in sync_provider_data endpoint
Summary The syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the SAMLProviderConfigViewSet PATCH endpoint, then trigger...
Server-side Request Forgery (SSRF)
Overview edx-enterprise is a Your project description goes here Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the syncproviderdata function. An attacker can cause the server to make arbitrary HTTP requests to internal or external resources by supplying a...