Lucene search
K

10757 matches found

RedhatCVE
RedhatCVE
added 2026/03/05 7:30 p.m.4 views

CVE-2026-3125

A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In...

7.7CVSS6.1AI score0.00363EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/05 4:23 p.m.3 views

CVE-2026-27023 Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs e.g., webhook endpoints, image URLs could bypass...

5CVSS5.7AI score0.00199EPSS
Exploits0References2
CVE
CVE
added 2026/03/05 4:23 p.m.15 views

CVE-2026-27023

Twenty CRM prior to v1.18 had SSRF protection in SecureHttpClientService that failed to validate redirect targets. An authenticated user controlling outbound URLs could bypass private IP blocking by redirecting via an attacker-controlled server, enabling SSRF. The issue is fixed in v1.18. Affecte...

5CVSS5.8AI score0.00199EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/05 4:23 p.m.28 views

CVE-2026-27023 Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs e.g., webhook endpoints, image URLs could bypass...

5CVSS0.00199EPSS
Exploits0References2
NVD
NVD
added 2026/03/05 6:16 a.m.5 views

CVE-2026-28036

Server-Side Request Forgery SSRF vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through = 1.2.6...

6.4CVSS0.00168EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/05 12:0 a.m.7 views

PT-2026-23479

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs e.g., webhook endpoints, image URLs could bypass...

5CVSS5.8AI score0.00199EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/05 12:0 a.m.6 views

PT-2026-23618

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.2.3 Description The webhook URL validation in plane/app/serializers/webhook.py only checks if the IP address is loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private or internal...

8.5CVSS5.8AI score0.00284EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/03/04 8:55 p.m.5 views

Lemmy has unauthenticated SSRF via file_type query parameter injection in image endpoint

Summary The GET /api/v4/image/filename endpoint is vulnerable to unauthenticated SSRF through parameter injection in the filetype query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch...

8.7CVSS6.1AI score0.00272EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/04 7:3 p.m.3 views

GHSA-4RQQ-W8V4-7P47 OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard

Summary isPrivateIpv4 in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so webfetch could allow targets that should be blocked by SSRF policy. Affected Packages / Versions - Package: openclaw npm - Latest published affected version: 2026.2.21-2 published 2026-02-21 -...

6.9CVSS6AI score0.00206EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/03/04 6:55 p.m.8 views

OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP

Summary OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses ...:5efe:w.x.y.z. A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target for example loopback and bypass private-address filtering in URL-fetching paths. Severity Assessment Rated...

6AI score
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/03/04 6:14 p.m.30 views

CVE-2026-3125 SSRF vulnerability in opennextjs-cloudflare via /cdn-cgi/ path normalization bypass

A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In...

7.7CVSS0.00363EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.8 views

PT-2026-23101

Name of the Vulnerable Software and Affected Versions Lemmy versions prior to 0.19.16 Description Lemmy, a link aggregator and forum, contains a server-side request forgery SSRF issue. The GET /api/v4/image/filename endpoint is susceptible to unauthenticated SSRF due to parameter injection in the...

8.7CVSS5.9AI score0.00272EPSS
Exploits0References9
OSV
OSV
added 2026/03/03 9:48 p.m.4 views

GHSA-H97F-6PQJ-Q452 OpenClaw has a IPv6 multicast SSRF classifier bypass

Summary OpenClaw's SSRF IP classifier did not treat IPv6 multicast literals ff00::/8 as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks. Impact A bypass in address classification existed for IPv6 multicast literals. OpenClaw's network fetch/navigation...

6.3CVSS5.9AI score
Exploits0References3
OSV
OSV
added 2026/03/03 9:19 p.m.7 views

GHSA-8MVX-P2R9-R375 OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured

Summary openclaw web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured HTTPPROXY/HTTPSPROXY/ALLPROXY, including lowercase variants. In affected builds, strict URL checks for example webfetch and citation redirect resolution validated one destinati...

6.1CVSS5.9AI score0.00221EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/03 9:19 p.m.9 views

OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured

Summary openclaw web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured HTTPPROXY/HTTPSPROXY/ALLPROXY, including lowercase variants. In affected builds, strict URL checks for example webfetch and citation redirect resolution validated one destinati...

7.6CVSS5.9AI score0.00221EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/03 6:10 p.m.6 views

GHSA-W76H-8M22-HPGH OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists

Summary In OpenClaw MSTeams media download flows, redirect handling could bypass configured mediaAllowHosts checks in specific attachment paths. Redirect chains were not consistently constrained to allowlisted targets before accepting fetched content. Affected Packages / Versions - Package:...

8.7CVSS5.9AI score0.00172EPSS
Exploits0References6
OSV
OSV
added 2026/03/03 1:22 p.m.5 views

SUSE-SU-2026:0777-1 Security update for cosign

This update for cosign fixes the following issues: Update to version 3.0.5 jscSLE-23879. Security issues fixed: - CVE-2025-11065: github.com/go-viper/mapstructure/v2: sensitive Information leak in logs bsc1250620. - CVE-2025-58181: golang.org/x/crypto/ssh: invalidated number of mechanisms can cau...

7.5CVSS6.9AI score0.0053EPSS
Exploits4References19
Positive Technologies
Positive Technologies
added 2026/03/03 12:0 a.m.11 views

PT-2026-26418

Summary In OpenClaw MSTeams media download flows, redirect handling could bypass configured mediaAllowHosts checks in specific attachment paths. Redirect chains were not consistently constrained to allowlisted targets before accepting fetched content. Affected Packages / Versions - Package:...

8.7CVSS5.8AI score0.00172EPSS
Exploits0References8
CVE
CVE
added 2026/03/02 3:50 p.m.14 views

CVE-2025-50199

Chamilo LMS is affected by a blind SSRF in /index.php via POST parameter openid_url, prior to version 1.11.30. The issue is patched in 1.11.30. Attack vector is network-based with low complexity; CVSSv3.1 base: 9.1 (Impact: Confidentiality High, Availability High). The vulnerability Details in co...

9.1CVSS5.9AI score0.00364EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/03/02 3:50 p.m.5 views

CVE-2025-50199 Chamilo: Blind Server-Side Request Forgery (Unauth Blind SSRF)

Chamilo is a learning management system. Prior to version 1.11.30, there is a blind SSRF vulnerability in /index.php via the POST openidurl parameter. This issue has been patched in version 1.11.30...

7.7CVSS5.9AI score0.00364EPSS
Exploits1References4
Rows per page
Query Builder