108 matches found
Auto Favicon MCP Server 代码问题漏洞
The Auto Favicon MCP Server is a tool developed by Yuey, a personal developer, for automatically generating website icons. The Auto Favicon MCP Server f189116a9259950c2393f114dbcb94dde0ad864b and previous versions have code vulnerabilities. These vulnerabilities stem from improper handling of the...
Server-side Request Forgery (SSRF)
Overview langchain-text-splitters is a LangChain text splitting utilities Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the splittextfromurl function. An attacker can access internal network resources and potentially exfiltrate sensitive data by supplying...
ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests t...
EUVD-2026-23121
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests t...
Server-side Request Forgery (SSRF)
Overview processwire/processwire is a CMS/CMF. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the Add Module From URL process. An attacker can access internal network resources and sensitive endpoints by supplying arbitrary URLs to the module download...
Malicious code in chai-as-chain-v2 (npm)
chai-as-chain-v2 is a malicious npm package that when imported downloads a C2 dropper from https://jsonkeeper.com/b/FAWPU and executes it similar to malware in to chai-await-test. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...
CVE-2026-40500 ProcessWire CMS SSRF via Add Module From URL
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests t...
CVE-2026-40500 ProcessWire CMS SSRF via Add Module From URL
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests t...
CVE-2026-40500
ProcessWire CMS has a server‑side request forgery in the admin panel feature Add Module From URL affecting version 3.0.255 and earlier. An authenticated administrator can supply arbitrary URLs to the module download parameter, triggering the server to issue outbound HTTP requests to attacker‑cont...
PT-2026-33179
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests t...
CVE-2026-34981 whisperX REST API: SSRF in download_from_url() — URL validation happens after HTTP request, extension bypass via .mp3
The whisperX API is a tool for enhancing and analyzing audio content. From 0.3.1 to 0.5.0, FileService.downloadfromurl in app/services/fileservice.py calls requests.geturl with zero URL validation. The file extension check occurs AFTER the HTTP request is already made, and can be bypassed by...
CVE-2026-34981
The whisperX REST API contains an SSRF vulnerability in FileService.download_from_url() (affecting 0.3.1–0.5.0) where a request is made with no URL validation; the file extension check runs after the HTTP request and can be bypassed by appending .mp3 to an internal URL. The /speech-to-text-url en...
CVE-2026-34576
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
CVE-2026-34576 Postiz: SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
CVE-2026-34576
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
CVE-2026-34576
Postiz (AI social media scheduling tool) has a SSRF vulnerability in the POST /public/v1/upload-from-url endpoint prior to version 2.21.3. An authenticated API user can supply a URL, which is fetched server-side via axios.get() without SSRF protections; only file-extension validation exists (e.g....
CVE-2026-34576 Postiz: SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
EUVD-2026-18446
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...
Gitroom Postiz 代码问题漏洞
Gitroom Postiz is an open-source social media scheduling tool developed by Gitroom. Versions of Gitroom Postiz prior to 2.21.3 contained code vulnerabilities. These vulnerabilities stemmed from the lack of server-side request forgery protection in the POST /public/v1/upload-from-url endpoint, whi...
PT-2026-29852
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get with no SSRF protections. The only validation is a file extension check .png, .jpg, etc. which is trivially...