Lucene search
K

360 matches found

Snyk
Snyk
added 2026/05/29 6:8 p.m.13 views

Protection Mechanism Failure

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Protection Mechanism Failure through the NodeVM builtin wildcard expansion in lib/builtin.js. An attacker can load Node’s private underscored network...

9.3CVSS5.9AI score0.00282EPSS
Exploits0References2
OSV
OSV
added 2026/05/29 6:8 p.m.11 views

GHSA-R9PM-GXMW-WV6P NodeVM network builtin exclusions bypass via internal _http_client and _http_server

Summary NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as httpclient and...

8.6CVSS5.8AI score0.00282EPSS
Exploits0References5
NVD
NVD
added 2026/05/29 11:16 a.m.11 views

CVE-2026-9557

A Server-Side Request Forgery SSRF vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary...

6.4CVSS0.00138EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/29 9:38 a.m.36 views

CVE-2026-9557

A Server-Side Request Forgery SSRF vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary...

6.4CVSS0.00138EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 9:38 a.m.9 views

CVE-2026-9557

A Server-Side Request Forgery SSRF vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References2
CVE
CVE
added 2026/05/29 9:38 a.m.16 views

CVE-2026-9557

CVE-2026-9557 describes a Server-Side Request Forgery (SSRF) in Mautic’s Focus component. The root cause is insufficient validation of user-supplied URLs, allowing an authenticated user to cause the hosting server to perform outbound HTTP requests. This can enable internal network reconnaissance ...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/29 9:38 a.m.11 views

CVE-2026-9557

A Server-Side Request Forgery SSRF vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.11 views

PT-2026-44801

Name of the Vulnerable Software and Affected Versions Mautic affected versions not specified Description A Server-Side Request Forgery SSRF exists in the Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hostin...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.17 views

PT-2026-44978

Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl method in InteractsWithMedia.php...

7.4CVSS6AI score0.00248EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.21 views

PT-2026-45022

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.4 Description NodeVM allows the exclusion of public network builtins from the wildcard builtin option, which blocks direct access to modules such as 'http', 'https', 'http2', 'net', 'dgram', 'tls', 'dns', and...

8.6CVSS5.3AI score0.00282EPSS
Exploits0References6
NVD
NVD
added 2026/05/28 9:16 p.m.12 views

CVE-2026-49093

Server-Side Request Forgery CWE-918 in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block...

7.7CVSS0.00199EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 8:16 p.m.16 views

CVE-2026-42401

Improper Neutralization of Input During Web Page Generation CWE-79 in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently...

5.4CVSS0.00141EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/28 7:51 p.m.9 views

EUVD-2026-33035

Server-Side Request Forgery CWE-918 in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block...

6.3CVSS5.8AI score0.00199EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 7:51 p.m.36 views

CVE-2026-49093

CVE-2026-49093 describes a Server-Side Request Forgery (SSRF) in Kibana that can be exploited by an authenticated user with connector management privileges to bypass the operator-configured allowlist and make Kibana issue outbound requests to blocked destinations. The issue affects Kibana 9.x ver...

7.7CVSS5.8AI score0.00199EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/28 7:51 p.m.30 views

CVE-2026-49093 Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

Server-Side Request Forgery CWE-918 in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block...

6.3CVSS0.00199EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/28 7:47 p.m.10 views

EUVD-2026-33032

Server-Side Request Forgery CWE-918 in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations...

7.7CVSS5.8AI score0.003EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 7:47 p.m.25 views

CVE-2026-42398

Kibana is affected by SSRF (CWE-918) where authenticated users with connector-management privileges can bypass the operator-configured allowlist by configuring a Webhook connector to target destinations. The issue allows outbound requests to blocked destinations as per egress controls. Affected v...

7.7CVSS5.8AI score0.003EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/28 7:40 p.m.33 views

CVE-2026-42401 Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection

Improper Neutralization of Input During Web Page Generation CWE-79 in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently...

4.1CVSS0.00141EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/28 7:40 p.m.9 views

CVE-2026-42401

Improper Neutralization of Input During Web Page Generation CWE-79 in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently...

4.1CVSS5.8AI score0.00141EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/28 7:40 p.m.11 views

CVE-2026-42401 Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection

Improper Neutralization of Input During Web Page Generation CWE-79 in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently...

4.1CVSS5.8AI score0.00141EPSS
Exploits0References1
Rows per page
Query Builder