10756 matches found
PT-2026-25758
Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-urllib3 (UTSA-2026-006150)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006150 advisory. urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and...
CVE-2026-32301
CVE-2026-32301 affects Centrifugo up to 6.6.x. An unauthenticated attacker can cause SSRF by crafting a JWT whose iss or aud claims interpolate into a dynamic JWKS endpoint URL before token verification, triggering Centrifugo to make a request to an attacker‑controlled destination. The dynamic JW...
CVE-2026-32301
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery SSRF when configured with a dynamic JWKS endpoint URL using template variables e.g. tenant. An unauthenticated attacker can craft a JWT with a malicious iss or...
CVE-2026-32236 @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...
CVE-2026-32236 @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...
CVE-2026-32236 @backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...
CVE-2026-21887
OpenCTI platform (data ingestion feature) is vulnerable prior to 6.8.16 due to accepting user-supplied URLs without validation and using Axios with allowAbsoluteUrls: true, enabling semi-blind SSRF to internal endpoints. Impact reported as HIGH (CVSS 3.1: 7.7) with network attack vector and low p...
SiYuan has a Full-Read SSRF via /api/network/forwardProxy
Summary The /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to...
CVE-2026-32133 2FAuth has Blind SSRF in image parameter allows internal network access and more
2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Th...
CVE-2026-3958
A vulnerability has been found in Woahai321 ListSync up to 0.6.6. This issue affects the function requests.post of the file list-sync-main/apiserver.py of the component JSON Handler. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The...
CVE-2026-32096 Plunk has SSRF via unvalidated AWS SNS SubscriptionConfirmation in POST /webhooks/sns
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery SSRF vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to an...
CVE-2026-32096 Plunk has SSRF via unvalidated AWS SNS SubscriptionConfirmation in POST /webhooks/sns
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery SSRF vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to an...
CVE-2026-31974 Blind SSRF on OpenProject instance via webhooks
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint POST /admin/settings/mailnotifications accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists a...
CVE-2026-31974
OpenProject prior to 17.2.0 is affected by an SSRF vulnerability via the SMTP test endpoint (POST /admin/settings/mail_notifications) and via webhooks, where arbitrary host/port values enable timing and error differences to map internal hosts and reachable services/ports. Root cause: improper han...
CVE-2026-31959 SSRF in Quill via unvalidated URL from Apple notarization log retrieval
Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains a Server-Side Request Forgery SSRF vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple'...
PT-2026-24557
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery SSRF vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate...
CVE-2026-26801
Server-Side Request Forgery SSRF vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy method allowing server operato...
EUVD-2026-10788
MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers...
CVE-2026-27826 MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
MCP Atlassian is a Model Context Protocol MCP server for Atlassian products Confluence and Jira. Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL b...