Lucene search
+L

57 matches found

github
github
added 2025/11/10 9:34 p.m.9 views

Soft Serve is vulnerable to SSRF through its Webhooks

SUMMARY We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. AFFECTED COMPONENTS VERIFIED 1. Webhook Creation...

9.1CVSS6.9AI score0.00335EPSS
Exploits1References5Affected Software1
veracode
veracode
added 2025/11/10 9:14 a.m.10 views

Server-Side Request Forgery (SSRF)

cors-anywhere is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to instances being configured as open proxies that forward attacker-controlled target URLs, methods, and headers without restriction, which allows an attacker to induce requests to internal-only endpoints...

9.5CVSS7AI score0.01005EPSS
Exploits0References7Affected Software1
osv
osv
added 2025/10/14 10:24 p.m.3 views

GHSA-9F2H-7V79-MXW3 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Summary Prototype pollution capabilities on various APIs. Details Injection of malicious payload allows attacker to remotely execute arbitrary code. Parse.Object and internal APIs are affected, specifically: - ParseObject.fromJSON - ParseObject.pin - ParseObject.registerSubclass -...

6.4CVSS7.3AI score0.00383EPSS
Exploits0References6
vulnrichment
vulnrichment
added 2025/10/14 8:6 p.m.3 views

CVE-2025-62374 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations internal...

6.4CVSS7.2AI score0.00383EPSS
Exploits0References4
cvelist
cvelist
added 2025/10/14 8:6 p.m.14 views

CVE-2025-62374 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations internal...

6.4CVSS0.00383EPSS
Exploits0References4
osv
osv
added 2025/10/14 8:6 p.m.7 views

CVE-2025-62374 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Parse Javascript SDK provides access to the powerful Parse Server backend from your JavaScript app. Prior to 7.0.0, injection of malicious payload allows attacker to remotely execute arbitrary code. ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations internal...

6.4CVSS7.7AI score0.00383EPSS
Exploits0References6
cnnvd
cnnvd
added 2025/02/06 12:0 a.m.3 views

mitmproxy 安全漏洞

mitmproxy is an interactive, SSL/TLS-enabled interceptor proxy with a console interface for HTTP/1, HTTP/2, and WebSockets from the mitmproxy open source. A security vulnerability exists in mitmproxy version 11.1.1 and earlier, which stems from a malicious client that can utilize the proxy server...

8.2CVSS7.5AI score0.00817EPSS
Exploits0References3
nessus
nessus
added 2024/10/22 12:0 a.m.20 views

LangChain < 0.2.9 SSRF

The remote host contains a langchain version that is prior to 0.2.9. It is, therefore, affected by a Server-Side Request Forgery vulnerability in the Web Research Retriever component in langchain-community langchain-community.retrievers.webresearch.WebResearchRetriever. The vulnerability arises...

7.7CVSS6.4AI score0.00691EPSS
Exploits1References4
cnnvd
cnnvd
added 2024/06/13 12:0 a.m.6 views

Dell Secure Connect Gateway Access Control Error Vulnerability

Dell Secure Connect Gateway is a secure connectivity gateway from Dell, Inc. An access control error vulnerability exists in Dell Secure Connect Gateway versions prior to 5.24.00.00, which stems from an internal REST API exposure that could be exploited by a remote attacker to potentially apply...

5.4CVSS6.7AI score0.00349EPSS
Exploits0References2
osv
osv
added 2024/06/06 9:30 p.m.19 views

GHSA-Q25C-C977-4CMH Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetriever

A Server-Side Request Forgery SSRF vulnerability exists in the Web Research Retriever component in langchain-community langchain-community.retrievers.webresearch.WebResearchRetriever. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet...

4.8CVSS6.5AI score0.00691EPSS
Exploits1References6
github
github
added 2024/06/06 9:30 p.m.36 views

Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetriever

A Server-Side Request Forgery SSRF vulnerability exists in the Web Research Retriever component in langchain-community langchain-community.retrievers.webresearch.WebResearchRetriever. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet...

7.7CVSS5.5AI score0.00691EPSS
Exploits1References6Affected Software1
nvd
nvd
added 2024/06/06 7:15 p.m.30 views

CVE-2024-3095

A Server-Side Request Forgery SSRF vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This...

7.7CVSS0.00691EPSS
Exploits1References1
ptsecurity
ptsecurity
added 2024/04/10 12:0 a.m.6 views

PT-2024-24092 · Plane · Plane

Name of the Vulnerable Software and Affected Versions: Plane versions prior to 0.17-dev Description: The issue is a Server-Side Request Forgery SSRF vulnerability that may allow an attacker to send arbitrary requests from the server hosting the application, potentially leading to unauthorized...

9.1CVSS7.3AI score0.00667EPSS
Exploits0References12
mageia
mageia
added 2024/03/22 12:19 a.m.47 views

Updated libuv packages fix security vulnerability

It was discovered that the uvgetaddrinfo function in libuv, an asynchronous event notification library, incorrectly truncated certain hostnames, which may result in bypass of security measures on internal APIs or SSRF attacks. CVE-2024-24806...

7.3CVSS7AI score0.02003EPSS
Exploits1References4
amazon
amazon
added 2024/03/04 12:0 a.m.33 views

Medium: libuv

Issue Overview: libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to...

7.3CVSS7.5AI score0.02003EPSS
Exploits1
redhatcve
redhatcve
added 2024/02/08 12:39 p.m.67 views

CVE-2024-24806

A server-side request forgery SSRF flaw was found in the libuv package due to how the hostnameascii variable is handled in uvgetaddrinfo and uvidnatoascii. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result, attackers may be able to access...

7.3CVSS7.2AI score0.02003EPSS
Exploits1References5
veracode
veracode
added 2024/02/08 8:37 a.m.24 views

Server-Side Request Forgery (SSRF)

libuv.so is vulnerable to Server-Side Request Forgery SSRF. The vulnerability arises due to how the hostnameascii variable with a length of 256 bytes is handled in uvgetaddrinfo and subsequently in uvidnatoascii. When the hostname exceeds 256 characters, it gets truncated without a terminating nu...

7.3CVSS7AI score0.02003EPSS
Exploits1References11Affected Software3
ubuntucve
ubuntucve
added 2024/02/07 10:15 p.m.401 views

CVE-2024-24806

libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses...

7.3CVSS6.9AI score0.02003EPSS
Exploits1References4
osv
osv
added 2024/02/07 9:44 p.m.44 views

CVE-2024-24806 Improper Domain Lookup that potentially leads to SSRF attacks in libuv

libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses...

7.3CVSS7AI score0.02003EPSS
Exploits1References13
github
github
added 2023/09/06 8:51 p.m.38 views

WireMock Controlled Server Side Request Forgery vulnerability through URL

Impact WireMock can be configured to only permit proxying and therefore recording to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first. Documentation. Until WireMock Webhooks Extension 3.0.0-beta-1...

5.4CVSS6.6AI score0.00469EPSS
Exploits0References7Affected Software1
Rows per page
Query Builder