CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...

CVE-2026-47076

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the host, so ...

CVE-2026-47076 SSRF allowlist bypass via percent-encoded host in hackney

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the host, so ...

EEF-CVE-2026-47076 SSRF allowlist bypass via percent-encoded host in hackney

Summary Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the...

CVE-2026-47076 SSRF allowlist bypass via percent-encoded host in hackney

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the host, so ...

CVE-2026-47076

CVE-2026-47076 affects the hackney HTTP client (from 0.13.0 up to, but not including, 4.0.1). The issue1 arises because hackney_url:normalize/2 decodes the host after parsing, while OTP’s uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes, allowing a crafted URL such as htt...

CVE-2026-44015 Nginx UI: Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware Allows Access to Internal Services

Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery SSRF by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwar...

CVE-2026-44015 Nginx UI: Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware Allows Access to Internal Services

Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery SSRF by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwar...

CVE-2026-42339

CVE-2026-42339 (New API: SSRF Filter Bypass via 0.0.0.0) Affects New API (LLM gateway) up to v0.11.9-alpha.1. The SSRF protection is incomplete: 0.0.0.0/8 is not checked, allowing a regular user with a valid API token to request multimodal endpoints (/v1/chat/completions, /v1/responses, /v1/messa...

CVE-2026-42339 New API: SSRF Filter Bypass via 0.0.0.0

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 CVE-2025-59146 and hardened in v0.9.6 CVE-2025-62155 does not block the unspecified address 0.0.0.0. A regular...

Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability

Summary The kanban npm package used by the cline CLI starts a WebSocket server on 127.0.0.1:3484 with no Origin header validation. Any website a developer visits can silently connect to the kanban server via WebSocket and: 1. Leak sensitive data in real-time: workspace filesystem paths, task...

CVE-2026-41413 Istio Vulnerable to SSRF via RequestAuthentication jwksUri

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhos...

CVE-2026-41413 Istio Vulnerable to SSRF via RequestAuthentication jwksUri

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhos...

GHSA-V5C3-6WVC-PC2Q QuantumNous/new-api has an SSRF Filter Bypass via 0.0.0.0

SSRF Filter Bypass via 0.0.0.0 Summary The SSRF protection introduced in v0.9.0.5 CVE-2025-59146 and hardened in v0.9.6 CVE-2025-62155 does not block the unspecified address 0.0.0.0. A regular non-admin user holding any valid API token can send a multimodal request to /v1/chat/completions,...

PT-2026-37258

Name of the Vulnerable Software and Affected Versions MagicMirror² versions prior to 2.36.0 Description An unauthenticated Server-Side Request Forgery SSRF exists in the '/cors' endpoint, which acts as an open HTTP proxy without authentication or URL validation. This allows remote attackers to...

Astra Linux - уязвимость в etcd

A DNS rebinding vulnerability has been discovered in etcd 3.3.1 and earlier versions. An attacker can manipulate their DNS records to direct requests to localhost, thereby tricking the browser into sending requests to localhost or any other address...

CVE-2026-37552

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server Server.php:87 receives data from a TCP socket, passes it directly to Opis\Closure\unserialize, then executes the result via calluserfunc. No authentication or signature verification exists on the...

EUVD-2026-26670

Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server Server.php:87 receives data from a TCP socket, passes it directly to Opis\Closure\unserialize, then executes the result via calluserfunc. No authentication or signature verification exists on the...

Exploit for Improper Access Control in Nodejs Node.Js

CVE-2026-21636 - Node.js Permission Model UDS/Network Bypass...

CVE-2026-41172

Squidex (open source headless CMS) is affected by an SSRF vulnerability in asset uploads prior to version 7.23.0. A user with asset upload permission can cause the server to fetch arbitrary URLs (including localhost/private network targets) and persist the response as an asset. The issue is fixed...