11 matches found
EUVD-2026-39638
The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated...
Server-side Request Forgery (SSRF)
Overview mcp-url-downloader is a MCP server that enables AI assistants to download files from URLs to the local filesystem Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the validateurlsafe function. An attacker can access internal resources or services b...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...
Server-side Request Forgery (SSRF)
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the EPG link processing, which fails to properly validate URLs using the intended isSSRFSafeURL function. An attacker can caus...
PT-2026-26167
Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch server-side, and returns the...
Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads
Impact A Server-Side Request Forgery SSRF vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. Users are affected ...
CVE-2025-68477 Langflow vulnerable to Server-Side Request Forgery
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, an...
DNN 安全漏洞
DNN aka DotNetNuke is a Microsoft-supported, open-source content management system CMS based on the ASP.NET platform from the U.S. company DNN. The system is easy to install, scalable, feature-rich and so on. A security vulnerability exists in versions prior to DNN 10.1.0, which stems from...
CVE-2025-9862 Ghost 6.0.6 - SSRF via oEmbed Bookmark
Server-Side Request Forgery SSRF vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from 6.0.0 through 6.0.8, from 5.99.0 through 5.130.3...
PT-2024-25386 · Unknown · Cusmin Absolutely Glamorous Custom Admin
Name of the Vulnerable Software and Affected Versions: Cusmin Absolutely Glamorous Custom Admin versions through 7.2.2 Description: A Server-Side Request Forgery SSRF issue affects the software, allowing unauthorized access to internal resources. This can lead to sensitive data exposure or other...
WireMock XML External Entity Injection Vulnerability
WireMock is an open source HTTP-based API simulator . An XML external entity vulnerability exists in WireMock versions prior to 2.16.0. A remote attacker could exploit this vulnerability to access local files and internal resources and potentially cause a denial of service...