CVE-2026-26324 OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as 0:0:0:0:0:ffff:7f00:1 which is 127.0.0.1. This could allow requests that should be blocked loopback / private network / link-local metada...

CVE-2026-26324

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as 0:0:0:0:0:ffff:7f00:1 which is 127.0.0.1. This could allow requests that should be blocked loopback / private network / link-local metada...

CVE-2025-13671 Cross Site request forgery vulnerability discovered in OpenText WSM Management Server.

Cross-Site Request Forgery CSRF vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously. This...

CVE-2025-8055 SSRF vulnerability have been discovered in OpenText™ XM Fax

Server-Side Request Forgery SSRF vulnerability in OpenText™ XM Fax allows Server Side Request Forgery. The vulnerability could allow an attacker to perform blind SSRF to other systems accessible from the XM Fax server. This issue affects XM Fax: 24.2...

CVE-2026-26286 SillyTavern has Server-Side Request Forgery (SSRF) via Asset Download Endpoint that Allows Reading Internal Services

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. In versions prior to 1.16.0, a Server-Side Request Forgery SSRF vulnerability in the asset download endpoint allow...

CVE-2026-27472

SPIP before 4.4.9 allows Blind Server-Side Request Forgery SSRF via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitra...

CVE-2026-27472

SPIP before 4.4.9 allows Blind Server-Side Request Forgery SSRF via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitra...

CVE-2026-27472 SPIP < 4.4.9 Blind Server-Side Request Forgery via Syndicated Sites

SPIP before 4.4.9 allows Blind Server-Side Request Forgery SSRF via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitra...

CVE-2026-26338

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery SSRF through the document processing functionality...

CVE-2026-26338

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery SSRF through the document processing functionality...

web-vuln-scanner

web-vuln-scanner A Python-based web vulnerabili...

CVE-2026-26338

The CVE-2026-26338 entry pertains to Hyland Alfresco Transformation Service. The connected documents confirm an unauthenticated server-side request forgery (SSRF) via the service’s document processing functionality. The root cause, affected component, and explicit exploit details are not enumerat...

CVE-2026-2274

A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and no...

CVE-2026-25738 Indico has Server-Side Request Forgery (SSRF) in multiple places

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of...

CVE-2026-2274

CVE-2026-2274 describes a vulnerability in Google AppSheet’s AppSheet Core allowing an authenticated remote attacker to perform SSRF and arbitrary file read via crafted requests to the production cluster. Affected behavior includes reading sensitive local files and accessing internal network reso...

CVE-2025-55853

SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery SSRF. The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTM...

CVE-2025-71247

...

CVE-2025-71247

SPIP 4.4.9 fixes an authenticated SSRF in the syndicated sites feature. CVE-2025-71247 affects SPIP

CVE-2026-27090

Cross-Site Request Forgery CSRF vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through = 1.3.3...

CVE-2026-25411

Cross-Site Request Forgery CSRF vulnerability in themastercut Revision Manager TMC revision-manager-tmc allows Cross Site Request Forgery.This issue affects Revision Manager TMC: from n/a through = 2.8.22...