PT-2026-7096

CVE-2026-25840 - Apache HTTP Server Cross-Site Request Forgery CVE ID : CVE-2026-25840 Published : Feb. 7, 2026, 4:15 a.m. | 39 minutes ago Description : Rejected reason: Not used Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE-2020-37079

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery CSRF vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user...

CVE-2020-37106 Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

CVE-2020-37106

The CVE-2020-37106 issue affects Business Live Chat Software 1.0 and is described as a cross-site request forgery (CSRF) vulnerability. A remote attacker can craft a malicious HTML form that sends a POST to the user creation endpoint with administrative access parameters to change user account ro...

CVE-2020-37106

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

CVE-2020-37106 Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

CVE-2026-25123 Homarr affected by Unauthenticated SSRF / Port-Scan Primitive via widget.app.ping

Homarr is an open-source dashboard. Prior to 1.52.0, a public unauthenticated tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF...

CVE-2026-25123 Homarr affected by Unauthenticated SSRF / Port-Scan Primitive via widget.app.ping

Homarr is an open-source dashboard. Prior to 1.52.0, a public unauthenticated tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF...

CVE-2026-25580

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery SSRF vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources,...

CVE-2026-25580 Pydantic AI Affected by Server-Side Request Forgery (SSRF) in URL Download Handling

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery SSRF vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources,...

CVE-2026-1785

The CVE-2026-1785 entry concerns the Code Snippets plugin for WordPress, affected versions up to and including 3.9.4. The root cause is missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class, enabling Cross‑Site Request Forgery (CSRF). This ...

CVE-2026-1785 Code Snippets <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions

The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the CloudSearchListTable class. This makes it possible for unauthenticated...

Exploit for Server-Side Request Forgery in Lobehub Lobe_Chat

AAA CVE-2024-32964 SSRF Assessment Agentified Agent Assessmen...

CVE-2025-68722

Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery CSRF vulnerability in the WebAdmin interface through improper handling of the s breadcrumb parameter. The application accepts state-changing requests via the GET method and automatically processes...

WordPress Code Snippets plugin <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions vulnerability

Cross-Site Request Forgery to Cloud Snippet Download/Update Actions vulnerability discovered by type5afe in WordPress Plugin Code Snippets versions = 3.9.4...

PT-2026-6846

Summary A Server-Side Request Forgery SSRF vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially...

Linux Distros Unpatched Vulnerability : CVE-2025-68157

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack's HTTPS resolver HttpUriPlugin enforces...

CVE-2025-68157 webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that...

CVE-2025-68157

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that...

CVE-2025-68157 webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that...