CVE-2026-32328 WordPress Lemmony theme < 1.7.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in shufflehound Lemmony lemmony allows Cross Site Request Forgery.This issue affects Lemmony: from n/a through 1.7.1...

CVE-2026-22215

wpDiscuz prior to 7.6.47 is affected by a CSRF flaw in getFollowsPage that allows triggering unauthorized actions without nonce validation. The vulnerability enables an attacker to craft requests to enumerate follow relationships and alter user follow data via the follows page handler. Root cause...

CVE-2026-22202

wpDiscuz before 7.6.47 is affected by a cross-site request forgery that lets an attacker delete all comments for a target email by triggering a crafted GET request containing a valid HMAC key. The attacker can embed the deletecomments action URL in image tags or other resources to cause permanent...

PT-2026-25191

CVE-2026-32344 Cross-Site Request Forgery CSRF vulnerability in desertthemes Corpiva corpiva allows Cross Site Request Forgery.This issue affects Corpiva: from n/a through = 1.0.… https://t.co/avO7gmzQhI...

PT-2026-25266

CVE-2026-32420 Cross-Site Request Forgery CSRF vulnerability in Ruben Garcia GamiPress gamipress allows Cross Site Request Forgery.This issue affects GamiPress: from n/a through … https://t.co/vexu84hxBQ...

PT-2026-25258

Server-Side Request Forgery SSRF vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through = 3.1.7...

PT-2026-25204

CVE-2026-32357 Server-Side Request Forgery SSRF vulnerability in Katsushi Kawamori Simple Blog Card simple-blog-card allows Server Side Request Forgery.This issue affects Simple B… https://t.co/rZPsS8Lbne...

CVE-2026-32301 Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery SSRF when configured with a dynamic JWKS endpoint URL using template variables e.g. tenant. An unauthenticated attacker can craft a JWT with a malicious iss or...

GO-2026-4685 SiYuan has a Full-Read SSRF via /api/network/forwardProxy in github.com/siyuan-note/siyuan/kernel

SiYuan has a Full-Read SSRF via /api/network/forwardProxy in github.com/siyuan-note/siyuan/kernel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Console

Summary Multiple vulnerabilities were addressed in IBM Aspera Console version 3.4.9 Vulnerability Details CVEID:CVE-2025-13459 DESCRIPTION: IBM Aspera Console could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow. CWE:CWE-841: Improper...

CVE-2026-2376 Mirror-registry: quay: quay: server-side request forgery via open redirect vulnerability in web interface

A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the application processes these addresses, it automatically follows redirects without verifying the final...

PYSEC-2026-118

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration allowAbsoluteUrls: true...

CVE-2026-21887 OpenCTI has a Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration allowAbsoluteUrls: true...

Server-side Request Forgery (SSRF)

Overview ha-mcp is a Home Assistant MCP Server - Complete control of Home Assistant through MCP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the haurl parameter in the OAuth consent form and forged tokens in REST and WebSocket tool calls. An attacker ca...

EUVD-2026-11480

A vulnerability was determined in zyddnys manga-image-translator up to beta-0.3. The affected element is the function topilimage of the file manga-image-translator-main/server/requestextraction.py of the component Translate Endpoints. This manipulation causes server-side request forgery. It is...

OpenClaw code issue vulnerability (CNVD-2026-13590)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw there is a code problem vulnerability , the vulnerability stems from the attachment and media URL hydration exists server-side request forgery , an attacker can use the vulnerability to obtain arbitrary HTTPS URL...

Tolgee 代码问题漏洞

Tolgee is an open-source, multilingual translation and localization platform developed by Tolgee itself. It aims to help development teams easily manage and maintain multilingual software applications and websites. Versions of Tolgee prior to 3.166.3 contained code vulnerabilities. These...

PT-2026-25060

Name of the Vulnerable Software and Affected Versions Tolgee versions prior to 3.166.3 Description Tolgee is an open-source localization platform. The XML parsers used for importing Android XML resources .xml and .resx files do not disable external entity processing. An authenticated user who can...

CVE-2026-32133 2FAuth has Blind SSRF in image parameter allows internal network access and more

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Th...

CVE-2026-32110 SiYuan has a Full-Read SSRF via /api/network/forwardProxy

SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and...