Lucene search
K

46 matches found

Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-56261 Crawl4AI - Server-Side Request Forgery via Webhook URLs

Crawl4AI before 0.8.7 contains a server-side request forgery SSRF vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, o...

9.2CVSS0.00371EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/15 5:47 p.m.12 views

Server-side Request Forgery (SSRF)

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the processUrlFile function. An attacker can access internal network resources and sensitive cloud metadata by supplying crafted URLs that target internal or...

7.7CVSS5.8AI score0.00258EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/14 4:56 p.m.11 views

CVE-2026-44520

Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in doclinggraph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the...

5.7CVSS5.8AI score0.00188EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/14 11:22 p.m.13 views

Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection

Summary The conditions filter webhook at libs/application-generic/src/usecases/conditions-filter/conditions-filter.usecase.ts line 261 sends POST requests to user-configured URLs using raw axios.post with no SSRF validation. The HTTP Request workflow step in the same codebase correctly uses...

6AI score
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/04/10 9:31 p.m.4 views

EUVD-2026-21579

GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the docurl parameter during document upload...

5.3CVSS5.9AI score0.00222EPSS
Exploits0References4
CVE
CVE
added 2026/04/10 7:53 p.m.21 views

CVE-2026-39922

CVE-2026-39922 affects GeoNode 4.x (pre-4.4.5) and 5.x (pre-5.0.2). The issue is a server-side request forgery in the service registration endpoint, allowing authenticated attackers to submit crafted service URLs to trigger outbound requests to arbitrary URLs via the WMS service handler, bypassin...

6.3CVSS5.5AI score0.00172EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/04/10 7:49 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the validateWebhookURL function. An administrator can access internal network resources and cloud metadata endpoints by submitting webhook URLs that use hostnames resolving to private IP addresses,...

7CVSS5.8AI score
Exploits0References2
OSV
OSV
added 2026/04/10 7:49 p.m.6 views

GHSA-R2X7-427F-RQ69 Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation

Summary The validateWebhookURL function in webhooksettingservice.go attempts to block webhooks targeting private/internal IP addresses, but only checks literal IP strings via net.ParseIP. Hostnames that DNS-resolve to private IPs e.g., 169.254.169.254.nip.io, 10.0.0.1.nip.io bypass all checks,...

5.5CVSS5.9AI score
Exploits0References3
NVD
NVD
added 2026/04/09 4:16 p.m.8 views

CVE-2026-39843

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address ...

7.7CVSS0.00246EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/03/31 11:26 p.m.11 views

Nuxt OG Image vulnerable to Server-Side Request Forgery via user-controlled parameters

Product: Nuxt OG Image Version: injection via html parameter GET /og/d/og.png?html= When verbose errors are enabled, the response content is leaked in base64-encoded error messages. Vector 3: SVG injection via html parameter GET /og/d/og.png?html= Mitigation Fixed in v6.2.5. The image source plug...

5.9AI score
Exploits0References2Affected Software1
NVD
NVD
added 2026/03/07 5:15 p.m.9 views

CVE-2026-30858

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a DNS rebinding vulnerability in the webfetch tool allows an unauthenticated attacker to bypass URL validation and access internal resources on the server, including privat...

7.5CVSS0.00355EPSS
Exploits1References1
CVE
CVE
added 2026/03/07 4:34 p.m.21 views

CVE-2026-30858

Technical details for CVE-2026-30858 are not provided in the connected documents. The available sources describe the issue and patch timing but do not specify affected products/versions or exploit details. Monitor for updates.

7.5CVSS5.7AI score0.00355EPSS
Exploits1References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/05 9:43 p.m.8 views

Plane has SSRF via Incomplete IP Validation in Webhook URL Serializer

Summary The webhook URL validation in plane/app/serializers/webhook.py only checks ip.isloopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses 10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.. When webhook events fire, the...

8.5CVSS5.9AI score0.00284EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/02/11 3:13 p.m.8 views

GHSA-GF3V-FWQG-4VH7 @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation

Description The RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith to compar...

4.1CVSS5.5AI score0.00371EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/02/11 3:13 p.m.10 views

@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation

Description The RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith to compar...

4.1CVSS5.5AI score0.00371EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2020-25608

Malware in sbrugna...

4.3CVSS4.9AI score0.00994EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2018-7751

Malware in sbrugna...

7.5CVSS7.6AI score0.01489EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2013-2615

Malware in sbrugna...

7.5CVSS7.5AI score0.02413EPSS
Exploits2References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2023-31830

Malicious code in bioql PyPI...

8.1CVSS7.9AI score0.00583EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-22971

Malicious code in bioql PyPI...

9.1CVSS6.5AI score0.00386EPSS
Exploits0References1
Rows per page
Query Builder