Lucene search
K

84 matches found

OSV
OSV
added 6 days ago3 views

CVE-2026-33655 New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/blo...

7.7CVSS6.1AI score0.00437EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/07/07 1:1 p.m.9 views

New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs

Summary The default SSRF protection configuration did not apply IP filtering to hostnames. With ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address. Authenticated users could configure...

7.7CVSS6AI score0.00437EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.10 views

PT-2026-56211

Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.0-alpha.1 Description An issue exists where the default Server-Side Request Forgery SSRF protection configuration fails to apply IP filtering to hostnames. Because the ApplyIPFilterForDomain setting is disabled b...

7.7CVSS6AI score0.00437EPSS
Exploits0References6
CVE
CVE
added 2026/06/23 4:42 p.m.28 views

CVE-2026-54018

Open WebUI (self-hosted offline AI) contains SSRF protection bypass in the Playwright Web Loader prior to version 0.9.6. The validator checks only the initial URL; Playwright follows redirects (301/302) by default, allowing an attacker-supplied URL that redirects to internal addresses (e.g., loca...

7.7CVSS5.9AI score0.00287EPSS
Exploits1References1Affected Software1
FreeBSD
FreeBSD
added 2026/06/17 12:0 a.m.10 views

mail/mailpit -- Incomplete SSRF protection in Link Check API via uncovered IPv6 forms

Mailpit authorreports: The tools.IsInternalIP deny-list relies on Go's stdlib classification helpers IsLoopback, IsPrivate, IsLinkLocalUnicast, IsLinkLocalMulticast, IsUnspecified, IsMulticast plus an inline CGNAT range, but those helpers do not match two classes of IPv6 address that should be...

5.8CVSS5.3AI score0.00282EPSS
Exploits0References1
NVD
NVD
added 2026/06/16 3:16 p.m.13 views

CVE-2026-47684

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses e.g. ::ffff:127.0.0.1, allowing SSRF protection to be bypassed ...

7.7CVSS0.00221EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 3:8 p.m.14 views

EUVD-2026-32593

Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection...

7.7CVSS5.2AI score0.00217EPSS
Exploits0References2
OSV
OSV
added 2026/06/12 3:8 p.m.7 views

GHSA-G6QX-G4PR-92V7 Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection

Summary The OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts line 59 uses raw fetchconfig.url with no SSRF protection. The safe wrapper fetchWithBlacklist exists in the same codebase and is used in every other outbound HTTP call automation steps, plugin downloads,...

7.7CVSS5.6AI score0.00217EPSS
Exploits0References3
OSV
OSV
added 2026/06/10 8:27 p.m.2 views

CVE-2026-50131 Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting...

8.6CVSS5.9AI score0.00269EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/06/10 1:39 p.m.58 views

Papra HTTP redirect bypass can lead to SSRF via webhook delivery system

Summary Papra's webhook delivery system contains an SSRF protection bypass that allows any authenticated organisation member to cause the server to make HTTP requests to internal addresses — loopback, link-local, and RFC-1918 ranges. The SSRF protection validates the registered webhook URL but...

5.6AI score0.00025EPSS
Exploits0References3Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/08 6:37 p.m.14 views

Security Bulletin: IBM Langflow Desktop 1.0.0 - 1.9.2 DNS Rebinding Bypasses SSRF Protection Allowing Access to Internal Services

Summary A Time-of-Check to Time-of-Use TOCTOU vulnerability in IBM Langflow Desktop's SSRF protection allows authenticated attackers to bypass internal network access restrictions using DNS rebinding attacks. The validateurlforssrf function validates URLs using socket.getaddrinfo, but...

5.4CVSS5.6AI score0.00138EPSS
Exploits0Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.23 views

PT-2026-46127

Name of the Vulnerable Software and Affected Versions Docling versions prior to 2.94.0 Description The HTML backend fails to perform sufficient validation during resource handling. This allows local file system access via file:// URIs when enable local fetch is set to True, and enables path...

7.1CVSS5.8AI score0.00217EPSS
Exploits0References8
OSV
OSV
added 2026/05/29 10:27 p.m.8 views

GHSA-5C6W-WWFQ-7QQM PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings

Summary PraisonAI's spidertools URL validation can be bypassed using alternate loopback host encodings. The affected component is: text praisonaiagents/tools/spidertools.py The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled...

5.5CVSS6.2AI score0.00014EPSS
Exploits0References2
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.18 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

5.9AI score0.00054EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.28 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

5.9AI score0.00054EPSS
Exploits0References3
NVD
NVD
added 2026/05/27 6:16 p.m.24 views

CVE-2026-48146

Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetchconfig.url with no SSRF protection. The safe wrapper fetchWithBlacklist exists in the same codebase and is used in every other outbound...

7.7CVSS0.00217EPSS
Exploits0References1
CVE
CVE
added 2026/05/27 5:9 p.m.17 views

CVE-2026-45717

Budibase (prior to 3.38.1) exposed PUT /api/datasources/:datasourceId under TABLE/READ authorization, allowing any authenticated user with BASIC or higher to overwrite a datasource’s config (host, port, database, URL, credentials). The update merges attacker-controlled fields without builder-leve...

8.8CVSS6AI score0.00251EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.14 views

PT-2026-42802

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.examp...

7.6CVSS5.8AI score0.00239EPSS
Exploits2References3
FreeBSD
FreeBSD
added 2026/05/20 12:0 a.m.16 views

gitea -- multiple vulnerabilities

The Gitea team reports: CVE-2026-27783: incorrect read permission check CVE-2026-25714: public-only token filtering bypass CVE-2026-20706: missing token scope checking CVE-2026-27771: unauthenticated access to private container images CVE-2026-28744: git smart HTTP request scope bug CVE-2026-2869...

9.8CVSS6.1AI score0.40738EPSS
Exploits7References2
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.17 views

PT-2026-41763

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt platform/backend/backend/blocks/email block.py accepts a user-supplied smtp server string and smtp port integer as...

5CVSS5.9AI score0.00304EPSS
Exploits0References3
Rows per page
Query Builder