55924 matches found
CVE-2026-41461
SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...
EUVD-2025-5343
Cross-Site Request Forgery CSRF vulnerability in Required Admin Menu Manager allows Cross Site Request Forgery.This issue affects Admin Menu Manager: from n/a through 1.0.3...
CVE-2026-41461
SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...
CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview
SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...
CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview
SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...
PT-2026-34762
Name of the Vulnerable Software and Affected Versions Microsoft Entra ID Entitlement Management affected versions not specified Description Server-side request forgery SSRF in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network. This flaw...
PT-2026-34735
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery SSRF protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP DENY LIST for axios and...
Microsoft Entra ID Entitlement Management 代码问题漏洞
Microsoft Entra ID Entitlement Management is an identity governance service provided by Microsoft that handles the application, approval, and lifecycle management of access rights. There is a code vulnerability in Microsoft Entra ID Entitlement Management, which stems from server-side request...
📄 SocialEngine 7.8.0 Server-Side Request Forgery
SocialEngine versions 7.8.0 and below suffer from a blind server-side request forgery vulnerability. User input passed through the uri request parameter to the /core/link/preview endpoint is not properly sanitized before being used as URL to send an HTTP request from the web server...
CVE-2026-41171
Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery SSRF vulnerability due to missing SSRF protection on the Jint HTTP client used by scripting engine functions getJSON, request, etc.. An authenticate...
EUVD-2026-25110
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery SSRF. The application fails to validate the URI scheme of the user-supplied Url parameter, allowing the use ...
CVE-2026-41172 Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app}/assets)
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as ...
EUVD-2026-25106
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as ...
CVE-2026-41455
CVE-2026-41455 affects WeKan
CVE-2026-41455
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...
Server-side Request Forgery (SSRF)
Overview flarum/core is a simple discussion platform for your website. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the interpolation of unvalidated LESS config variables during CSS compilation. An attacker can access arbitrary files on the server or...
CVE-2026-40882
OpenRemote’s Velbus asset import vulnerability (CVE-2026-40882) is an XXE in the import path prior to version 1.22.0. An authenticated user with import access can trigger XML external entity processing when posting Velbus project XML, potentially causing server-side file disclosure (target file
monetr: Server-side request forgery in Lunch Flow link creation and refresh
Impact A server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream response...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...