CVE-2025-68157

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that...

CVE-2025-68458

Webpack CVE-2025-68458 affects Webpack’s HTTP(S) resolver (HttpUriPlugin) when experiments.buildHttp is enabled. A crafted URL containing userinfo (username:password@host) can bypass allowedUris checks and cause the build process to request resources from internal or non-whitelisted hosts, enabli...

WordPress JSM file_get_contents() Shortcode plugin < 2.7.1 - Contributor+ SSRF vulnerability

Contributor+ SSRF vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin JSM filegetcontents Shortcode versions 2.7.1...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the HttpUriPlugin component. An attacker can cause unauthorized outbound requests to internal or otherwise restricted endpoints and include untrusted content in build outputs by crafting URLs with...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the HttpUriPlugin component when HTTP redirects are followed without re-validating the allowed URIs. An attacker can cause unauthorized network requests to internal services and inclusion of untruste...

CVE-2020-37144

Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without...

I released Vulristics 1.0.11: added Server-Side Request Forgery (SSRF) as a distinct vulnerability type

I releasedVulristics 1.0.11: added Server-Side Request Forgery SSRF as a distinct vulnerability type. I try to use a very small set of base vulnerability types around 20 in Vulristics and map everything else to them. With a few exceptions, these are the same types Microsoft uses - and Microsoft...

CVE-2025-68722

Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery CSRF vulnerability in the WebAdmin interface through improper handling of the s breadcrumb parameter. The application accepts state-changing requests via the GET method and automatically processes...

CVE-2020-37149

Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery CSRF that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's...

CVE-2020-37149 Edimax Technology EW-7438RPn-v3 Mini 1.27 - Cross-Site Request Forgery (CSRF) to Command Execution

Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery CSRF that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's...

CVE-2020-37149 Edimax Technology EW-7438RPn-v3 Mini 1.27 - Cross-Site Request Forgery (CSRF) to Command Execution

Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery CSRF that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's...

CVE-2020-37149

CVE-2020-37149 affects Edimax EW-7438RPn-v3 Mini (firmware around v1.27). The root cause is a CSRF vulnerability that lets an attacker trick an authenticated user into submitting a crafted request to the /goform/mp endpoint, resulting in arbitrary command execution with the user’s privileges. Pub...

CVE-2020-37118

CVE-2020-37118 affects P5 FNIP-8x16A FNIP-4xSH 1.0.20. The vulnerability is a cross-site request forgery that can perform administrative actions without user interaction by tricking an authenticated user into loading a crafted page (e.g., adding admin users, changing passwords, modifying configs)...

CVE-2020-37118

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking...

CVE-2026-1294

The CVE-2026-1294 issue affects the WordPress plugin All In One Image Viewer Block, version

CVE-2026-1294 All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint

The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web...

Server-Side Request Forgery (SSRF)

Apache HTTP Server is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper handling of encoded and merged slashes when AllowEncodedSlashes is enabled and MergeSlashes is disabled on Windows, which allows an attacker to exploit crafted requests or malicious content ...

EUVD-2024-55398

IBM Operations Analytics – Log Analysis versions 1.3.5.0 through 1.3.8.3 and IBM SmartCloud Analytics – Log Analysis are vulnerable to a cross-site request forgery CSRF vulnerability that could allow an attacker to trick a trusted user into performing unauthorized actions...

CVE-2025-68722

Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery CSRF vulnerability in the WebAdmin interface through improper handling of the s breadcrumb parameter. The application accepts state-changing requests via the GET method and automatically processes...

CVE-2026-1884

A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made...