Lucene search
K

120 matches found

ATTACKERKB
ATTACKERKB
added 2026/03/21 3:27 a.m.1 views

CVE-2026-2351

The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callbackgettextfromurl function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on th...

6.5CVSS5.9AI score0.00252EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.4 views

PT-2026-26650

CVE-2026-30580 File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary… https://t.co/olkBtQ0mG8...

5.8AI score0.00612EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/20 12:0 a.m.2 views

CVE-2026-30580

File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary files on the target system...

5.9AI score0.00612EPSS
Exploits0References2
CVE
CVE
added 2026/03/20 12:0 a.m.13 views

CVE-2026-30580

File Thingie 2.5.7 is affected by Directory Traversal via the "create folder from url" function. Multiple connected sources (Red Hat, EUVD/ENISA, CNNVD, CVE lists) confirm the vulnerability and target version, but none of the documents provide a concrete remediation (patch/version) or exploitatio...

4.3CVSS5.9AI score0.00612EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/03/17 6:16 p.m.7 views

CVE-2026-25534

Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...

9.1CVSS0.00246EPSS
Exploits0References3
NVD
NVD
added 2026/03/09 9:16 p.m.7 views

CVE-2026-25960

vLLM is an inference and serving engine for large language models LLMs. The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the loadfromurlasync method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses...

9.8CVSS0.00485EPSS
Exploits1References8
Github Security Blog
Github Security Blog
added 2026/03/09 7:55 p.m.12 views

vLLM has SSRF Protection Bypass

Summary The SSRF protection fix for https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc can be bypassed in the loadfromurlasync method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. Affected Component - File:...

9.8CVSS5.9AI score0.00485EPSS
Exploits1References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/09 12:0 a.m.6 views

PT-2026-24113

vLLM is an inference and serving engine for large language models LLMs. The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load from url async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses...

7.1CVSS6.3AI score0.00528EPSS
Exploits2References5
OSV
OSV
added 2026/01/28 4:14 p.m.2 views

GHSA-QH4C-XF7M-GXFC vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector

Summary A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods obtain and process media from URLs provided by users, using different Python parsing libraries when restrictin...

7.1CVSS6.1AI score0.00528EPSS
Exploits2References5
EUVD
EUVD
added 2026/01/28 5:30 a.m.5 views

EUVD-2026-4865

The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the imagereplacementfromurl function that is hooked to the erifromurl AJAX action. This makes it possible for authenticated...

5.3CVSS5.9AI score0.00254EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/01/28 12:0 a.m.15 views

PT-2026-5061

The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the image replacement from url function that is hooked to the eri from url AJAX action. This makes it possible for...

5.3CVSS5.9AI score0.00254EPSS
Exploits0References5
NVD
NVD
added 2026/01/27 10:15 p.m.10 views

CVE-2026-24779

vLLM is an inference and serving engine for large language models LLMs. Prior to version 0.14.1, a Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods obtain and process...

7.1CVSS0.00528EPSS
Exploits1References14
OSV
OSV
added 2026/01/22 6:16 p.m.8 views

CVE-2025-56590

An issue was discovered in the InsertFromURL function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server...

9.8CVSS6AI score0.00488EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/01/22 12:0 a.m.13 views

PT-2026-3990

Name of the Vulnerable Software and Affected Versions Apryse HTML2PDF SDK versions through 11.10 Description A flaw exists in the InsertFromURL function that may allow an attacker to execute arbitrary operating system commands on the local server. Recommendations Update to a version beyond 11.10...

9.8CVSS5.8AI score0.00488EPSS
Exploits1References6
ATTACKERKB
ATTACKERKB
added 2026/01/22 12:0 a.m.3 views

CVE-2025-56590

An issue was discovered in the InsertFromURL function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server...

9.8CVSS5.9AI score0.00488EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/01/09 11:27 a.m.9 views

CVE-2021-33213

An SSRF vulnerability in the "Upload from URL" feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to retrieve HTTP and FTP files from the internal server network by inserting an internal address...

6.5CVSS6.6AI score0.01304EPSS
Exploits1References1
Veracode
Veracode
added 2025/11/24 3:37 p.m.5 views

Server-Side Request Forgery (SSRF)

vllm is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient restrictions on user-supplied URLs in the MediaConnector class’s loadfromurl and loadfromurlasync methods, which allows an attacker to coerce the server into making arbitrary internal network requests...

7.1CVSS7.2AI score0.00231EPSS
Exploits0References6Affected Software1
Circl
Circl
added 2025/11/21 10:23 p.m.0 views

GHSA-6XVF-4VH9-MW47

creationtimestamp| type| source ---|---|--- 2025-11-21 22:23:21+00:00| seen| https://infosec.exchange/users/cR0w/statuses/115590024467115020...

5.8AI score
Exploits0References1
NVD
NVD
added 2025/11/18 3:16 p.m.5 views

CVE-2025-63883

A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 Bhabishya-123/E-commerce. The site's client-side JavaScript reads attacker-controlled input for example, values derived from the URL or page fragment and inserts it into the DOM via unsafe sinks...

5.4CVSS0.00235EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/11/18 1:56 p.m.11 views

CVE-2025-55179

Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device. We have not seen...

5.4CVSS0.00152EPSS
Exploits0References2
Rows per page
Query Builder