EUVD-2022-1740

Malicious code in bioql PyPI...

EUVD-2024-1071

Malicious code in bioql PyPI...

EUVD-2021-32632

Malicious code in bioql PyPI...

F5 Networks BIG-IP : libuv vulnerability (K000152876)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K000152876 advisory. libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in...

CVE-2025-54590 webfinger.js is vulnerable to Blind SSRF attacks through localhost

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in...

PT-2025-31675 · Unknown · Webfinger.Js

Name of the Vulnerable Software and Affected Versions: webfinger.js versions 2.8.0 and below Description: webfinger.js is a TypeScript-based WebFinger client used in browser and Node.js environments. The lookup function does not prevent access to localhost services, only checking for hosts that...

NewStart CGSL MAIN 7.02 : libuv Vulnerability (NS-SA-2025-0112)

The remote NewStart CGSL host, running version MAIN 7.02, has libuv packages installed that are affected by a vulnerability: - libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart...

ROS-20250630-03

A vulnerability in the Symfony web application development and management software platform exists due to failure to take measures to neutralize special elements. Exploitation of the vulnerability could allow an attacker, acting remotely, to execute arbitrary code A vulnerability in the Symfony w...

SUSE SLES12 Security Update : wget (SUSE-SU-2025:01921-1)

The remote SUSE Linux SLES12 host has a package installed that is affected by a vulnerability as referenced in the SUSE- SU-2025:01921-1 advisory. - CVE-2024-10524: Dropped support for shorthand URLs that enabled SSRF attacks bsc1233773. Tenable has extracted the preceding description block...

CVE-2025-47293

CVE-2025-47293 concerns PowSyBl (Power System Blocks) where powsybl-core XML parsing via com.powsybl.commons.xml.XmlReader is vulnerable to XXE and SSRF. The root cause is treating XmlReader as trusted when untrusted XML (CGMES/XIIDM) is submitted, allowing privilege escalation to read sensitive ...

TencentOS Server 3: libuv (TSSA-2024:0314)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:0314 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

CVE-2024-0677

The Pz-LinkCard WordPress plugin through 2.5.1 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks...

CVE-2024-23654

discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit...

CVE-2024-55892

TYPO3 is a free and open source Content Management Framework. Applications that use TYPO3\CMS\Core\Http\Uri to parse externally provided URLs e.g., via a query parameter and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the...

CVE-2023-6991

The JSM filegetcontents Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks...

CVE-2023-5798

The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wpremoteget, which could allow users with a role as low as Editor to perform SSRF attacks...

CVE-2022-45326

An XML external entity XXE injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery SSRF attacks...

CVE-2022-22702

PartKeepr versions up to v1.4.0, in the functionality to upload attachments using a URL when creating a part does not validate that requests can be made to local ports, allowing an authenticated user to carry out SSRF attacks and port enumeration...

CVE-2022-36663

Gluu Oxauth before v4.4.1 allows attackers to execute blind SSRF Server-Side Request Forgery attacks via a crafted requesturi parameter...

CVE-2022-3247

The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks...