537 matches found
CVE-2026-6394 Nexa Blocks <= 1.1.1 - Unauthenticated Blind Server-Side Request Forgery via 'demo_json_file' Parameter
The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery SSRF in versions up to and including 1.1.1. This is due to the importdemo function accepting a user-supplied URL in the demojsonfile POST parameter and...
CVE-2026-46722
The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index...
CVE-2026-42281
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery SSRF vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadat...
EUVD-2026-30313
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery SSRF vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadat...
EUVD-2026-28868
FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery SSRF vulnerability allows attackers or authenticated users with App editing privileges to send arbitrary HTTP requests to internal/private network addresses. The fetchData function i...
Server-side Request Forgery (SSRF)
Overview phpoffice/phpspreadsheet is a Spreadsheet engine that Read, Create and Write Spreadsheet documents in PHP . Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the IOFactory::load function. An attacker can execute arbitrary code or initiate unauthoriz...
SUSE CVE-2025-66286
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP request...
CVE-2025-66286
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP request...
CVE-2025-66286
Technical details about CVE-2025-66286 are not publicly available in the provided documents. Monitor for updates from Red Hat, WebKitGTK, and WPE WebKit for affected products, versions, impact, and fixes.
CVE-2025-66286 Webkitgtk: authorization bypass through webpage::send-request signal handler
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP request...
CVE-2025-66286 Webkitgtk: authorization bypass through webpage::send-request signal handler
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP request...
PT-2026-34659
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP request...
Linux Distros Unpatched Vulnerability : CVE-2025-66286
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications...
CVE-2026-31432
A flaw was found in the ksmbd component of the Linux kernel. This vulnerability allows an attacker to cause the system to write data beyond its intended memory boundaries when processing specific network requests. Specifically, when a complex request combines data reading with security informatio...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Optimizer component. An attacker can cause the application to hang or crash by sending specially crafted requests over the network while authenticated with high privileges...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the InnoDB component. An attacker can cause the server to hang or crash repeatedly by sending specially crafted requests over the network. Remediation Upgrade libmysqlclient to...
Insertion of Sensitive Information Into Sent Data
Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the Information Schema component. An attacker can gain unauthorized access to sensitive data by sending crafted requests over the network. Remediation Upgrade libmysqlclient to versi...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Optimizer component. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network. Remediation Upgrade libmysqlclient to version...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the InnoDB component. An attacker can cause the server to hang or repeatedly crash by sending crafted requests over the network with high privileges. Remediation Upgrade...
CVE-2026-41302 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch calls to access internal resources or interact with external...