Lucene search
+L

249 matches found

CVE
CVE
added 2026/06/01 7:41 p.m.31 views

CVE-2026-49138

Nanobot prior to version 0.2.1 contains a server-side request forgery (SSRF) in the web_fetch tool. An attacker can supply a URL that redirects to a loopback or private address via a 3xx Location header, taking advantage of the httpx library’s automatic redirect-follow behavior to bypass initial ...

5.3CVSS5.8AI score0.00287EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/06/01 12:0 a.m.15 views

Mozilla Firefox 安全漏洞

Mozilla Firefox is an open-source web browser developed by the Mozilla Foundation in the United States. Versions of Mozilla Firefox prior to 151.2 contained security vulnerabilities. These vulnerabilities stemmed from Reader View incorrectly escaping HTML tags in JSON-LD metadata. This could allo...

5.4CVSS5.7AI score0.00157EPSS
Exploits0References2
NVD
NVD
added 2026/05/29 6:17 p.m.36 views

CVE-2026-45660

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP...

5.4CVSS0.00151EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/29 4:43 p.m.11 views

CVE-2026-45660 Statamic: Server-Side Request Forgery via Glide

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP...

5.4CVSS5.8AI score0.00151EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 4:43 p.m.40 views

CVE-2026-45660

Statamic’s Glide image proxy vulnerability (CVE-2026-45660) allows SSRF via unsafely validated URL inputs, enabling unauthenticated requests to internal addresses (loopback, private networks, cloud metadata). Affected releases: Statamic before 5.73.22 and 6.18.1. Root cause: URL validation in Gli...

5.4CVSS5.8AI score0.00151EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/29 4:43 p.m.12 views

EUVD-2026-33365

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP...

5.4CVSS5.8AI score0.00151EPSS
Exploits0References1
NVD
NVD
added 2026/05/27 6:16 p.m.26 views

CVE-2026-48148

Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an...

5.3CVSS0.00226EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 5:12 p.m.41 views

CVE-2026-48148 Budibase: Unvalidated VectorDB Host Parameter Enables SSRF

Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an...

5.3CVSS0.00226EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.10 views

Budibase 安全漏洞

Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.34.8 contained security vulnerabilities. These vulnerabilities stemmed from the processUrlFile...

7.7CVSS5.8AI score0.00258EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.16 views

PT-2026-44059

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.35.3 Description The VectorDB configuration endpoint accepts a host parameter that lacks validation against internal IP ranges, reserved hostnames, or URL schemes. This allows an authenticated user with builder-lev...

5.3CVSS5.9AI score0.00226EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.8 views

Budibase 安全漏洞

Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.35.3 contained security vulnerabilities. These vulnerabilities stemmed from VectorDB’s...

5.3CVSS5.8AI score0.00226EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 4:16 p.m.19 views

CVE-2026-40564

Files or Directories Accessible to External Parties, Server-Side Request Forgery SSRF vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files...

6.5CVSS0.0049EPSS
Exploits3References2
Github Security Blog
Github Security Blog
added 2026/05/18 3:32 p.m.27 views

Statamic CMS: Server-Side Request Forgery via Glide

Impact The Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata...

5.4CVSS5.8AI score0.00151EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/18 3:32 p.m.5 views

GHSA-PF9C-CH8R-2958 Statamic CMS: Server-Side Request Forgery via Glide

Impact The Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata...

5.4CVSS5.8AI score0.00151EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.20 views

PT-2026-41695

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.22 Statamic versions prior to 6.18.1 Description The Glide image proxy contains a flaw where URL validation can be bypassed using an IP representation that is not normalized before the public-IP check. This allo...

5.4CVSS5.8AI score0.00151EPSS
Exploits0References8
NVD
NVD
added 2026/05/15 9:16 p.m.28 views

CVE-2026-45401

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validateurl function in backend/openwebui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream sync requests, async...

8.5CVSS0.003EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.15 views

CVE-2026-43879

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. Wh...

5.4CVSS5.8AI score0.00165EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/15 12:44 p.m.13 views

CVE-2026-44515

A flaw was found in Nextcloud News. An authenticated attacker could exploit this by providing a malicious feed URL that points to internal or private network addresses. This action causes the Nextcloud server to perform server-side HTTP requests to attacker-controlled destinations without relayin...

2.3CVSS5.8AI score0.00185EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:55 p.m.13 views

Server-side Request Forgery (SSRF)

Overview @utcp/http is a HTTP utilities for UTCP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the OpenApiConverter process. An attacker can access internal network resources and sensitive metadata endpoints by supplying a malicious OpenAPI specification...

4.7CVSS5.8AI score0.00122EPSS
Exploits0References2
OSV
OSV
added 2026/05/14 8:18 p.m.47 views

GHSA-4V7R-F4W8-8972 Open WebUI has a full SSRF Vulnerability in the RAG Web Search Feature

SSRF Bypass via IPv6/IPv4-mapped IPv6/IPv4-reserved-ranges in validateurl Summary validateurl in backend/openwebui/retrieval/web/utils.py calls validators.ipv6ip, private=True, but the validators library does NOT implement the private keyword for IPv6 — the call raises a ValidationError which is...

8.5CVSS5.8AI score0.00286EPSS
Exploits1References5
Rows per page
Query Builder