CVE-2026-26938

CVE-2026-26938 concerns Kibana’s Workflows feature. The issue is an improper neutralization of special elements used in a template engine, enabling reading arbitrary files from the Kibana server filesystem and SSRF via Code Injection (CAPEC-242). It requires an authenticated user with the workflo...

CVE-2026-27829

Astro versions 9.0.0–9.5.3 contain a bug in the image pipeline where inferSize fetches remote images at render time without validating domains, allowing SSRF by fetching from arbitrary hosts despite image.domains/image.remotePatterns restrictions. An attacker who can influence the image URL (e.g....

CVE-2026-27730

esm.sh (a no-build CDN for web development) versions up to and including 137 contain an SSRF (CWE-918) in the /http(s) fetch route. The service validates against localhost/internal targets using hostname string checks, which can be bypassed with DNS alias domains, allowing an external requester t...

CVE-2026-27730 esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route

esm.sh is a no-build content delivery network CDN for web development. Versions up to and including 137 have an SSRF vulnerability CWE-918 in esm.sh’s /https fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypass...

Craft CMS 代码问题漏洞

Craft CMS is an open-source content management system developed by Craft CMS. There are code vulnerabilities in versions 4.5.0-RC1 to 4.16.18, and from 5.0.0-RC1 to 5.8.22 of Craft CMS. These vulnerabilities stem from a GraphQL Asset mutation where the SSRF validation only parses IPv4 addresses,...

CVE-2026-26957

...

CVE-2025-8055

Server-Side Request Forgery SSRF vulnerability in OpenText™ XM Fax allows Server Side Request Forgery. The vulnerability could allow an attacker to perform blind SSRF to other systems accessible from the XM Fax server. This issue affects XM Fax: 24.2...

CVE-2025-8055

OpenText XM Fax is affected by a Server-Side Request Forgery (SSRF) in version 24.2. The vulnerability permits blind SSRF to other systems reachable from the XM Fax server. The linked documents confirm the issue and affected product/version but do not provide exploitation details or a remediation...

CVE-2026-26337

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal...

CVE-2026-25385

Server-Side Request Forgery SSRF vulnerability in KaizenCoders URL Shortify url-shortify allows Server Side Request Forgery.This issue affects URL Shortify: from n/a through = 1.12.3...

CVE-2026-25310 WordPress Extend Link plugin <= 2.0.0 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery SSRF vulnerability in Alobaidi Extend Link extend-link allows Server Side Request Forgery.This issue affects Extend Link: from n/a through = 2.0.0...

OpenText XM Fax 安全漏洞

OpenText XM Fax is an IP fax software developed by OpenText Corporation in Canada. Version 24.2 of OpenText XM Fax contains a security vulnerability. This vulnerability arises from improper input handling and may lead to server-side request forgeing attacks, allowing blind SRFI to be executed on...

PT-2026-20938

Name of the Vulnerable Software and Affected Versions SillyTavern versions prior to 1.16.0 Description SillyTavern is a locally installed user interface for interacting with large language models, image generation engines, and text-to-speech voice models. A Server-Side Request Forgery SSRF exists...

CVE-2025-55853

SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery SSRF. The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTM...

WordPress Printful Integration for WooCommerce plugin <= 2.2.11 - Authenticated (Contributor+) Server-Side Request Forgery vulnerability

Authenticated Contributor+ Server-Side Request Forgery vulnerability discovered by Adrian Lukita in WordPress Plugin Printful Integration for WooCommerce versions = 2.2.11...

CVE-2025-36243

IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks...

CVE-2026-2654

Affects huggingface smolagents 1.24.0. The LocalPythonExecutor uses requests.get/post, enabling remote SSRF via manipulation of outbound requests. Public PoC/exploit exists; vendor did not respond. Remediation not provided in the sources; no fixed version is listed for smolagents. Monitor for upd...

CVE-2025-36243

IBM Concert Software versions 1.0.0–2.1.0 are vulnerable to server-side request forgery (SSRF). An authenticated attacker could cause unauthorized requests to be made from the system, enabling network enumeration or related attacks. Red Hat and NVD entries concur with the IBM advisory. The public...

CVE-2025-36243

IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks...

CISA Adds Four Known Exploited Vulnerabilities to Catalog

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities KEV Catalog, based on evidence of active exploitation. CVE-2008-0015link is external Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability CVE-2020-7796link is external Synacor Zimbra Collaboratio...