10764 matches found
CVE-2026-32096 Plunk has SSRF via unvalidated AWS SNS SubscriptionConfirmation in POST /webhooks/sns
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery SSRF vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to an...
CVE-2026-31974 Blind SSRF on OpenProject instance via webhooks
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint POST /admin/settings/mailnotifications accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists a...
CVE-2026-31974
OpenProject prior to 17.2.0 is affected by an SSRF vulnerability via the SMTP test endpoint (POST /admin/settings/mail_notifications) and via webhooks, where arbitrary host/port values enable timing and error differences to map internal hosts and reachable services/ports. Root cause: improper han...
CVE-2026-31959 SSRF in Quill via unvalidated URL from Apple notarization log retrieval
Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains a Server-Side Request Forgery SSRF vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple'...
PT-2026-24557
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery SSRF vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate...
CVE-2026-26801
Server-Side Request Forgery SSRF vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy method allowing server operato...
EUVD-2026-10788
MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers...
CVE-2026-27826
CVE-2026-27826 — MCP Atlassian SSRF (pre-0.17.0) Affected: MCP Atlassian server (Confluence/Jira) prior to version 0.17.0.Root cause: HTTP middleware and dependency injection layer improperly validate per-request headers, enabling an unauthenticated attacker to direct outbound requests to attacke...
CVE-2026-27826 MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
MCP Atlassian is a Model Context Protocol MCP server for Atlassian products Confluence and Jira. Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL b...
CVE-2026-26121
Server-side request forgery ssrf in Azure IoT Explorer allows an unauthorized attacker to perform spoofing over a network...
CVE-2026-24316 Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP
SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is therefore vulnerable to Server-Side Request Forgery SSRF. Successful exploitation could lead to interaction with...
CVE-2026-25960
vLLM is an inference and serving engine for large language models LLMs. The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the loadfromurlasync method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses...
GHSA-V359-JJ2V-J536 vLLM has SSRF Protection Bypass
Summary The SSRF protection fix for https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc can be bypassed in the loadfromurlasync method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. Affected Component - File:...
CVE-2026-30839
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in...
CVE-2026-30247
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Server-Side Request Forgery SSRF through HTTP redirects. While the backend implements comprehensive UR...
PT-2026-24113
vLLM is an inference and serving engine for large language models LLMs. The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load from url async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses...
CVE-2026-30858
Technical details for CVE-2026-30858 are not provided in the connected documents. The available sources describe the issue and patch timing but do not specify affected products/versions or exploit details. Monitor for updates.
CVE-2026-30832 Soft Serve: SSRF via unvalidated LFS endpoint in repo import
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is...
CVE-2026-27797
Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery SSRF vulnerability allows a remote attacker to force the Homarr server to perform arbitrary outbound HTTP requests. This can be used as an internal network access primitive e.g., reaching...
CVE-2026-30839 Wallos: SSRF via webhook test endpoint
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in...