vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector

Summary A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods obtain and process media from URLs provided by users, using different Python parsing libraries when restrictin...

TaskWeaver has Protection Mechanism Failure and Server-Side Request Forgery (SSRF)

Summary This vulnerability allows a user to escape the container network isolation and access the host’s local services 127.0.0.1 bound on the host. The vulnerability is applicable only on the MacOS and Windows environments while using Docker Desktop, Containerd on Lima VM, or Podman. Details...

GHSA-GPX9-96J6-PP87 TaskWeaver has Protection Mechanism Failure and Server-Side Request Forgery (SSRF)

Summary This vulnerability allows a user to escape the container network isolation and access the host’s local services 127.0.0.1 bound on the host. The vulnerability is applicable only on the MacOS and Windows environments while using Docker Desktop, Containerd on Lima VM, or Podman. Details...

WordPress Zita Elementor Site Library plugin <= 1.6.6 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin Zita Elementor Site Library versions = 1.6.6...

WordPress Enter Addons plugin <= 2.3.2 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin Enter Addons versions = 2.3.2...

CVE-2025-59891

Cross-Site request forgery CSRF vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of...

CVE-2025-59894

Cross-Site request forgery CSRF vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of...

CVE-2025-59892

Cross-Site request forgery CSRF vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of...

CVE-2025-14616

The Recooty – Job Widget Old Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recootysavemaybe function. This makes it possible for unauthenticated attackers to update the...

EUVD-2025-206493

Cross-Site request forgery CSRF vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of...

CVE-2025-59894

CVE-2025-59894 is a CSRF flaw affecting Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. The issue arises from missing CSRF token validation, enabling an authenticated attacker to induce other logged-in users to perform unintended actions, such as issuing a POST to delet...

CVE-2025-59892

Cross-Site request forgery CSRF vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of...

EUVD-2025-206487

The Recooty – Job Widget Old Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recootysavemaybe function. This makes it possible for unauthenticated attackers to update the...

Server-Side Request Forgery (SSRF)

shopware/core is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of user-supplied input used in server-side HTTP requests, which allows an attacker to coerce the server into sending requests to internal or external systems, potentially leading to...

CVE-2025-14610

The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for...

CVE-2025-14610 TableMaster for Elementor <= 1.3.6 - Authenticated (Author+) Server-Side Request Forgery via 'csv_url' Parameter

The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for...

SUSE CVE-2026-24408

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. OAuthSession creates a unique "state" and sends it as a parameter in the authentication request bu...

Flexense Sync Breeze Enterprise Server and Flexense Disk Pulse Enterprise have vulnerabilities related to cross-site request forgeing attacks.

Flexense Sync Breeze Enterprise Server and Flexense Disk Pulse Enterprise are both products of Flexense Corporation. Flexense Sync Breeze Enterprise Server is a network file synchronization software. Flexense Disk Pulse Enterprise is a real-time file system monitoring software. Both the Flexense...

Drupal Acquia Content Hub security vulnerabilities

Drupal Acquia Content Hub is a content distribution plugin for the Drupal community. Versions of Drupal Acquia Content Hub prior to 3.6.4 and 3.7.3 contained security vulnerabilities, which were due to a vulnerability that was vulnerable to cross-site request forgery attacks...

PT-2026-5058

Name of the Vulnerable Software and Affected Versions TableMaster for Elementor versions up to and including 1.3.6 Description The TableMaster for Elementor plugin for WordPress is susceptible to Server-Side Request Forgery. This occurs because the plugin does not limit the URLs that can be...