PT-2026-47080

Summary The connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses including IPv4-mapped IPv6 forms and localhost reached the driver. Details A new validateDbConnectionHost helpe...

CVE-2026-49138 Nanobot < 0.2.1 SSRF via web_fetch Tool Redirect Following

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the webfetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the...

CVE-2026-49138

Nanobot prior to version 0.2.1 contains a server-side request forgery (SSRF) in the web_fetch tool. An attacker can supply a URL that redirects to a loopback or private address via a 3xx Location header, taking advantage of the httpx library’s automatic redirect-follow behavior to bypass initial ...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the direct-prompt CLI. An attacker can access sensitive local...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

EUVD-2026-33365

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP...

Playwright Capture permits access to local files and internal network resources during page capture

Playwright Capture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on...

CVE-2026-40280

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression ^https?:// to match URL schemes. Because Go's net/url.Parse normalizes...

EUVD-2026-25604

Axios: noproxy bypass via IP alias allows SSRF...

axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization

A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NOPROXY rules. An attacker can exploit this by crafting requests to loopback addresses e.g., localhost. or ::1 which bypass the NOPROXY...

Security Bulletin: Axios NO_PROXY Bypass via Improper Hostname Normalization Leads to SSRF

Summary Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching an...

Incomplete List of Disallowed Inputs

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the isLoopback host check in the proxy helper, which relied on a static list of LOOPBACKADDRESSES. An attacker can route requests...

Incomplete List of Disallowed Inputs

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the isLoopback host check in the proxy helper, which relied on a static list of LOOPBACKADDRESSES. An attacker ca...

CVE-2026-42038

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

CVE-2026-42038

Axios no_proxy bypass via IP alias allows SSRF in older releases. Affected: Axios (browser/Node.js). Fault: shouldBypassProxy() uses pure string matching and does not resolve IP aliases or loopback equivalents, so requests to 127.0.0.1 or [::1] can be proxied when no_proxy=localhost. Impact: pote...

CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

Axios 代码问题漏洞

Axios is an open-source HTTP client developed by Axios. Versions of Axios prior to 1.15.1 and 0.31.1 have code vulnerabilities. These vulnerabilities stem from incomplete fixes for noproxy hostname normalization, allowing requests to 127.0.0.1 and ::1 to still be routed through a proxy...

CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

CVE-2026-40516

OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the webfetch and websearch tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an...

SUSE CVE-2025-62718

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NOPROXY rules. Requests to loopback addresses like localhost. with a trailing dot or ::1 IPv6 literal skip NOPROXY matching and go...