55967 matches found
CVE-2026-30793
Cross-Site Request Forgery CSRF vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Flutter URI scheme handler, FFI bridge modules allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart,...
CVE-2026-30793
Cross-Site Request Forgery CSRF vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Flutter URI scheme handler, FFI bridge modules allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart,...
CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...
CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...
undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without...
EUVD-2026-9698
Server-Side Request Forgery SSRF vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through = 1.2.6...
CVE-2026-28036
CVE-2026-28036 is a Server-Side Request Forgery (SSRF) vulnerability affecting the Ratatouille WordPress Theme (SkatDesign) version 1.2.6 and earlier. The connected Wordfence report documents it as an authenticated issue (Subscriber+), indicating exploitation would require valid credentials and a...
CVE-2026-28036 WordPress Ratatouille theme <= 1.2.6 - Server Side Request Forgery (SSRF) vulnerability
Server-Side Request Forgery SSRF vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through = 1.2.6...
opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass
A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler. The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In...
GHSA-C7MQ-GH6Q-6Q7C opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass
A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler. The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In...
Cross-site Request Forgery (CSRF)
Overview ghost is a publishing platform Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the /session/verify component. An attacker can gain unauthorized access to user sessions by exploiting incomplete protections, potentially allowing takeover of site...
GHSA-9M84-WC28-W895 Ghost has incomplete CSRF protections around OTC use
Impact Incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. Vulnerable versions This vulnerability is present in Ghost from...
PT-2026-23458
Cross-Site Request Forgery CSRF vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Flutter URI scheme handler, FFI bridge modules allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart,...
OpenClaw 代码问题漏洞
OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.14 had code-related vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing vulnerability in the Feishu extension, which could allow attackers to obtain control of remote...
Debian dsa-6155 : spip - security update
The remote Debian 13 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-6155 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6155-1 [email protected] https://www.debian.org/securit...
GHSA-4RQQ-W8V4-7P47 OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard
Summary isPrivateIpv4 in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so webfetch could allow targets that should be blocked by SSRF policy. Affected Packages / Versions - Package: openclaw npm - Latest published affected version: 2026.2.21-2 published 2026-02-21 -...
Server-side Request Forgery (SSRF)
Overview @openclaw/nostr is an OpenClaw Nostr channel plugin for NIP-04 encrypted DMs Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the URL ingestion process. An attacker can access internal or private network resources by crafting a URL containing an...
GHSA-8CP7-RP8R-MG77 OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP
Summary OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses ...:5efe:w.x.y.z. A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target for example loopback and bypass private-address filtering in URL-fetching paths. Severity Assessment Rated...
CVE-2026-3125
CVE-2026-3125 affects the @opennextjs/cloudflare package and its /cdn-cgi/image/ handler. A path normalization bypass (using a backslash in the path, e.g., /cdn-cgi\image/…) can bypass Cloudflare edge interception, allowing requests to reach the Worker and trigger an unvalidated fetch of arbitrar...
EUVD-2026-9357
Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via groupid parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerabilit...