CVE-2026-22739 Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from...

DesDev DedeCMS 安全漏洞

DesDev DedeCMS is an open-source content management system CMS developed by DesDev Corporation, based on PHP. This system offers functions such as content publishing, content management, content editing, and content retrieval. Version 5.7.118 of DesDev DedeCMS contains a security vulnerability,...

CVE-2026-29839

DedeCMS v5.7.118 contains a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php. The available sources confirm the affected product/version and the vulnerable endpoint, but do not provide details on root cause, exploitability, impact scope, or remediation steps. No exploit detail...

Wallos 代码问题漏洞

Wallos is an open-source personal subscription tracker developed by Miguel Ribeiro. Versions of Wallos prior to 4.7.0 had code vulnerabilities. These vulnerabilities stemmed from incomplete SSRF protections, and the save endpoint did not apply the validatewebhookurlforssrf protection. This allowe...

PT-2026-27446

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1 Description Vikunja is a self-hosted task management platform. Prior to version 2.2.1, the DownloadFile and DownloadFileWithHeaders functions within the pkg/modules/migration/helpers.go file do not have...

CVE-2026-29839

DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability in /systaskadd.php...

CVE-2026-29839

DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability in /systaskadd.php...

K000160435: FasterXML jackson-databind vulnerability CVE-2018-14721

Security Advisory Description FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery SSRF attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. CVE-2018-14721 Impact There is no impact; F5 products a...

GHSA-RC55-58F4-687G Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents

This vulnerability allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. | Field | Details | | :--- | :--- | |...

CVE-2026-32279 Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery SSRF issue exists in the external page migration feature of the Page Management Plugin. Versions 1.41.1 and...

CVE-2026-32279 Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Server-Side Request Forgery SSRF issue exists in the external page migration feature of the Page Management Plugin. Versions 1.41.1 and...

EUVD-2026-14573

Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the external page migration in the page management plugin. An attacker with privileges to use the page management screen can access internal network resources and potentially disclose sensitive...

WordPress Performance Monitor plugin <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter vulnerability

Unauthenticated Server-Side Request Forgery via 'url' Parameter vulnerability discovered by Afshin Shekaari in WordPress Plugin Performance Monitor versions = 1.0.6...

WordPress Redirect countdown plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Redirect countdown versions = 1.0...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /download URL validation process. An attacker can access internal resources or trigger unintended network requests by crafting a browser-side redirect that bypasses validation. Remediation Upgrad...

CVE-2026-33507

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting...

WordPress Post Snippits plugin <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Post Snippits versions = 1.0...

CVE-2026-33502

Summary (CVE-2026-33502) AVideo (open-source video platform) contains an unauthenticated SSRF via plugin/Live/test.php. In affected versions

CVE-2026-4590

A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the component loginSubmit API. Performing a manipulation of the argument third results in cross-site reques...