Lucene search
K

109 matches found

Nuclei
Nuclei
added 12 hours ago12 views

Mailpit < 1.28.3 - Server-Side Request Forgery

Mailpit = 1.28.0 contains a server-side request forgery caused by insufficient validation of internal IP addresses in the /proxy endpoint, letting attackers make requests to internal network resources, exploit requires crafted HTTP GET requests. id: CVE-2026-21859 info: name: Mailpit 1.28.3 -...

5.8CVSS6.1AI score0.00755EPSS
Exploits2References2
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.10 views

PT-2026-50166

Name of the Vulnerable Software and Affected Versions Crawl4AI versions prior to 0.8.9 Description The Docker API server fails to apply Server-Side Request Forgery SSRF destination checks to proxy addresses, only validating the crawl target URL. Because the Docker API is unauthenticated by defaul...

8.6CVSS5.8AI score0.00289EPSS
Exploits0References8
CVE
CVE
added 2026/03/26 8:4 p.m.16 views

CVE-2026-33644

CVE-2026-33644 describes an SSRF bypass in Lychee prior to 7.5.2. The issue lies in the PhotoUrlRule.php validation: the IP address check (lines 86–89) activates only when the hostname is an IP, so domain names resolve to internal IPs and bypass the check, enabling potential SSRF. A patch is avai...

4.3CVSS5.8AI score0.00217EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.17 views

Wallos 代码问题漏洞

Wallos is an open-source personal subscription tracker developed by Miguel Ribeiro. Versions of Wallos prior to 4.7.0 had code vulnerabilities. These vulnerabilities stemmed from incomplete SSRF protections, and the save endpoint did not apply the validatewebhookurlforssrf protection. This allowe...

7.7CVSS7.4AI score0.00282EPSS
Exploits3References2
Vulnrichment
Vulnrichment
added 2026/03/02 4:28 p.m.4 views

CVE-2025-64427 ZimaOS is vulnerable to Server-Side Request Forgery (SSRF)

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses e.g., 127.0.0.1, localhost, or...

7.1CVSS5.9AI score0.00238EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/02/21 4:9 a.m.27 views

CVE-2026-27193 Feathers exposes internal headers via unencrypted session cookie

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

8.2CVSS0.00354EPSS
Exploits0References3
Snyk
Snyk
added 2026/02/18 12:56 a.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the webhooks process. An attacker can access internal network resources and extract sensitive information by submitting crafted webhook URLs that resolve to internal IP addresses, causing the server ...

7.2CVSS5.5AI score0.00061EPSS
Exploits0References3
OSV
OSV
added 2026/02/09 7:36 p.m.7 views

CVE-2026-25493 Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypa...

6.9CVSS5.7AI score0.00359EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/01/16 12:46 p.m.4 views

CVE-2026-0613 CVE-2026-0613

The Librarian contains an internal port scanning vulnerability, facilitated by the webfetch tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has...

6.5AI score0.00373EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/09 9:28 a.m.11 views

CVE-2023-49094

Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if the...

4.3CVSS7AI score0.00705EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:3 a.m.13 views

CVE-2024-39699

Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...

5CVSS7.3AI score0.00435EPSS
Exploits1References1
OSV
OSV
added 2026/01/07 11:24 p.m.5 views

CVE-2026-21859 Mailpit Proxy Endpoint is Vulnerable to Server-Side Request Forgery (SSRF)

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery SSRF vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it do...

5.8CVSS6.4AI score0.00755EPSS
Exploits2References4
RedhatCVE
RedhatCVE
added 2026/01/07 9:30 a.m.10 views

CVE-2019-16951

A remote file include RFI issue was discovered in Enghouse Web Chat 6.2.284.34. One can replace the localhost attribute with one's own domain name. When the product calls this domain after the POST request is sent, it retrieves an attacker's data and displays it. Also worth mentioning is the amou...

5.3CVSS6.6AI score0.00952EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:16 a.m.7 views

CVE-2025-68437

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter,...

5.9CVSS7.1AI score0.00427EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/01/06 5:44 p.m.11 views

Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability

Summary A Server-Side Request Forgery SSRF vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources. Description The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it doe...

5.8CVSS6.9AI score0.00755EPSS
Exploits2References5Affected Software1
CNNVD
CNNVD
added 2025/12/11 12:0 a.m.3 views

TeamViewer DEX Client 安全漏洞

TeamViewer DEX Client is a digital employee experience and endpoint management software from TeamViewer Germany. A security vulnerability exists in TeamViewer DEX Client versions prior to 25.11 that stems from the service being forced to transfer data to arbitrary internal IP addresses, which cou...

6.5CVSS6.3AI score0.00211EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2010-3544

Malware in sbrugna...

5CVSS8.5AI score0.02999EPSS
Exploits0References49
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2016-7240

Malware in sbrugna...

5.3CVSS6.8AI score0.02264EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2018-20485

Malware in sbrugna...

5.3CVSS5.6AI score0.0144EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2019-7431

Malware in sbrugna...

5.3CVSS5.5AI score0.00952EPSS
Exploits1References2
Rows per page
Query Builder