Lucene search
K

120 matches found

NVD
NVD
added 2025/11/04 10:16 p.m.6 views

CVE-2025-62719

LinkAce is a self-hosted archive to collect website links. In versions 2.3.0 and below, the htmlKeywordsFromUrl function in the FetchController class accepts user-provided URLs and makes HTTP requests to them without validating that the destination is not an internal or private network resource...

4.3CVSS0.00304EPSS
Exploits1References3
OSV
OSV
added 2025/10/07 10:14 p.m.3 views

GHSA-3F6C-7FW2-PPM4 vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class

Summary A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows...

7.1CVSS6.5AI score0.00231EPSS
Exploits0References6
Snyk
Snyk
added 2025/10/07 10:14 p.m.3 views

Server-side Request Forgery (SSRF)

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the loadfromurl and loadfromurlasync methods of the MediaConnector class, which fetch and process media from...

8.3CVSS7.1AI score0.00231EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2025/10/07 10:14 p.m.8 views

vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class

Summary A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows...

7.1CVSS6.5AI score0.00231EPSS
Exploits0References6Affected Software1
NVD
NVD
added 2025/10/07 8:15 p.m.9 views

CVE-2025-6242

A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an...

7.1CVSS0.00231EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/10/07 7:45 p.m.10 views

CVE-2025-6242 Vllm: server side request forgery (ssrf) in mediaconnector

A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an...

7.1CVSS0.00231EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 7:45 p.m.5 views

EUVD-2025-32892

A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an...

7.1CVSS6.6AI score0.00231EPSS
Exploits0References2
CVE
CVE
added 2025/10/07 7:45 p.m.26 views

CVE-2025-6242

The CVE-2025-6242 SSRF vulnerability targets vLLM's MediaConnector (load_from_url/load_from_url_async) allowing user-supplied URLs to trigger server-side requests to internal resources. Concrete details: the issue arises from insufficient host restriction on mediaURL fetches, enabling potential a...

7.1CVSS6.7AI score0.00231EPSS
Exploits0References2
NVD
NVD
added 2025/10/07 8:15 a.m.5 views

CVE-2025-7400

The Featured Image from URL FIFU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including, 5.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS0.0018EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2024-30335

Malicious code in bioql PyPI...

7.1CVSS6.4AI score0.00354EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/09/26 12:0 a.m.9 views

WordPress plugin Featured Image from URL SQL注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A SQL injection...

4.9CVSS7.6AI score0.00306EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/09/11 7:16 a.m.8 views

CVE-2025-9539

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwpajaximportautomationfromurl function in all versions up to, and...

8CVSS5.9AI score0.00416EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/09/09 12:0 a.m.9 views

PT-2025-36946

Name of the Vulnerable Software and Affected Versions: halo versions prior to 2.20.17 Description: The software is vulnerable to a server-side request forgery SSRF issue. The vulnerability exists in the /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url API endpoint...

9.1CVSS6.5AI score0.00348EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/08/14 6:52 p.m.2 views

Malicious code in title-from-url (npm)

The package title-from-url was found to contain malicious code...

7AI score
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/22 11:51 p.m.6 views

CVE-2022-2278

The Featured Image from URL FIFU WordPress plugin before 4.0.1 does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite...

4.8CVSS5.7AI score0.00511EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/02/05 6:55 a.m.9 views

CVE-2024-32533

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Peter Shaw LH Add Media From Url allows Reflected XSS.This issue affects LH Add Media From Url: from n/a through 1.22...

7.1CVSS5.2AI score0.00354EPSS
Exploits0References1
Patchstack
Patchstack
added 2025/01/16 6:43 p.m.8 views

WordPress Save & Import Image from URL Plugin <= 0.7 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Save & Import Image from URL versions = 0.7...

7.1CVSS6.1AI score0.00241EPSS
Exploits0Affected Software1
CVE
CVE
added 2024/11/01 2:18 p.m.61 views

CVE-2024-37276

CVE-2024-37276 concerns the WordPress plugin Featured Image from URL (FIFU). Public records show a Missing Authorization vulnerability allowing exploitation of incorrectly configured access control security levels in the FIFU component that handles Featured Image from URL. Affected versions are l...

5.3CVSS5.3AI score0.0035EPSS
Exploits0References1
Snyk
Snyk
added 2024/09/17 2:42 p.m.4 views

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation via the makeFromUrl and makeFromAny methods. An attacker can read local files or perform server-side request forgery by supplying malicious URLs. PoC php / @var \Czim\FileHandling\Storage\File\StorableFileFacto...

8.2CVSS6.7AI score0.00636EPSS
Exploits0References2
NVD
NVD
added 2024/08/21 6:15 a.m.31 views

CVE-2024-7090

The LH Add Media From Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘lhaddmediafromurl-fileurl’ parameter in all versions up to, and including, 1.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers ...

6.1CVSS0.00392EPSS
Exploits0References4
Rows per page
Query Builder