CVE-2026-26801

Server-Side Request Forgery SSRF vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy method allowing server operato...

pdfmake 安全漏洞

pdfmake is a pure JavaScript server-side and client-side PDF document generation library developed by Bartek Pampuch. There were security vulnerabilities in the version 0.3.0-beta.2 to 0.3.5 of pdfmake, which stemmed from the src/URLResolver.js component’s server-side request forgery vulnerabilit...

PT-2026-24329

Уязвимость программного обеспечения Azure IoT Explorer связана с недостаточной проверкой вводимых данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, проводить спуфинг-атаки...

CVE-2026-26801

CVE-2026-26801 describes a Server-Side Request Forgery (SSRF) in pdfmake versions 0.3.0-beta.2 through 0.3.5, exploitable via the src/URLResolver.js component. The underlying issue is that server-side requests could access arbitrary URLs. The fix is in version 0.3.6, which introduces setUrlAccess...

Craft CMS 跨站请求伪造漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to 4.17.4 and 5.9.7 of Craft CMS had a cross-site request forgery vulnerability. This vulnerability stemmed from the lack of CSRF token verification at the preview token endpoint, which could allow...

EUVD-2025-208448

An issue pertaining to CWE-352: Cross-Site Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4...

CVE-2026-25960 SSRF Protection Bypass in vLLM

vLLM is an inference and serving engine for large language models LLMs. The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the loadfromurlasync method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses...

CVE-2026-25960

Summary of CVE-2026-25960 (vLLM) : The SSRF protection added in 0.15.1 (fix tied to CVE-2026-24779) can be bypassed in vLLM’s load_from_url_async due to inconsistent URL parsing between the validation layer (urllib3.util.parse_url) and the HTTP client (aiohttp with yarl). The vulnerability arises...

CVE-2026-31816 Budibase Universal Auth Bypass via Webhook Query Param Injection

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...

CVE-2026-25737

Budibase (open-source low-code platform) is affected in versions 3.24.0 and earlier by an arbitrary file upload vulnerability where file extension restrictions are enforced only at the UI level, allowing bypass and upload of malicious files. Connected records describe the issue as potentially ena...

EUVD-2026-10343

A server-side request forgery SSRF vulnerability in IKEA Dirigera v2.866.4 allows an attacker to exfiltrate private keys by sending a crafted request...

CVE-2026-3588

A server-side request forgery SSRF vulnerability in IKEA Dirigera v2.866.4 allows an attacker to exfiltrate private keys by sending a crafted request...

CVE-2026-3588

CVE-2026-3588 describes a server-side request forgery in IKEA Dirigera v2.866.4. An attacker can exfiltrate private keys by sending a crafted request to the affected server, indicating a potential compromise of sensitive credentials. The CVSS 3.1 base score is 7.5 (HIGH) with attack vector Adjace...

CVE-2026-3588 Server-Side Request Forgery (SSRF) in ikea dirigera

A server-side request forgery SSRF vulnerability in IKEA Dirigera v2.866.4 allows an attacker to exfiltrate private keys by sending a crafted request...

ThermaKube 安全漏洞

ThermaKube is a Kubernetes cluster monitoring and visualization tool released under the Open Source Labs beta version. There is a security vulnerability in ThermaKube, which stems from server-side request forgery...

CVE-2025-70042

An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta ThermaKube master...

PT-2026-24074

An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta ThermaKube master...

CVE-2025-70031

An issue pertaining to CWE-352: Cross-Site Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4...

Omnissa Workspace ONE Server-Side Request Forgery

Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery SSRF vulnerability that could allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information...

PT-2026-24081

A server-side request forgery SSRF vulnerability in IKEA Dirigera v2.866.4 allows an attacker to exfiltrate private keys by sending a crafted request...