PT-2026-20247

Name of the Vulnerable Software and Affected Versions IBM Concert versions 1.0.0 through 2.1.0 Description IBM Concert versions 1.0.0 through 2.1.0 are susceptible to a server-side request forgery SSRF condition. A successful exploit could allow an authenticated attacker to dispatch unauthorized...

CVE-2026-2556

A security vulnerability has been detected in cskefu up to 8.0.1. This issue affects some unknown processing of the file com/cskefu/cc/controller/resource/MediaController.java of the component Endpoint. The manipulation of the argument url leads to server-side request forgery. The attack may be...

CVE-2026-2532

A vulnerability was detected in lintsinghua DeepAudit up to 3.0.3. This issue affects some unknown processing of the file backend/app/api/v1/endpoints/embeddingconfig.py of the component IP Address Handler. Performing a manipulation results in server-side request forgery. It is possible to initia...

PT-2026-8307

A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The...

WordPress plugin MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-10.0.1.7)

The version of AHV installed on the remote host is prior to AHV-10.0.1.7. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-10.0.1.7 advisory. - A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the sshkdf function...

WordPress plugin Converter for Media 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

CVE-2025-12575 Server-Side Request Forgery (SSRF) in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user with certain permissions to make unauthorized requests to internal network services throug...

CVE-2026-26013

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.getnumtokensfrommessages method fetches arbitrary imageurl values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Reque...

CVE-2025-11242

Server-Side Request Forgery SSRF vulnerability in Teknolist Computer Systems Software Publishing Industry and Trade Inc. Okulistik allows Server Side Request Forgery. This issue affects Okulistik: through 21102025...

Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.

Summary Multiple vulnerabilities were addressed in IBM Concert Software version 2.2.0 Vulnerability Details CVEID:CVE-2025-33088 DESCRIPTION: IBM Concert Software could allow a local user with specific knowledge about the system's architecture to escalate their privileges due to incorrect file...

CVE-2026-25765

A flaw was found in Faraday, an HTTP client library. The buildexclusiveurl method, which combines a base URL with a user-supplied path, incorrectly processes protocol-relative URLs e.g., //evil.com/path. This allows a remote attacker to supply a specially crafted URL, leading to Server-Side Reque...

LangChain 代码问题漏洞

LangChain is an open-source framework developed by LangChain for creating applications powered by large language models LLMs. Versions of LangChain prior to 1.2.11 contained code vulnerabilities. These vulnerabilities stemmed from the ChatOpenAI.getnumtokensfrommessages method, which did not...

GHSA-M5R2-8P9X-HP5M Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation

I observed a recent commit intended to mitigate Server-Side Request Forgery SSRF vulnerabilities. While the implemented defense mechanisms are an improvement, I have identified two methods to bypass these protections. This report details the first bypass method involving alternative IP notation,...

CVE-2026-25904 Overly permissive Deno configuration in mcp-run-python leads to SSRF

The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to receive a fix...

CVE-2026-1294

The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web...

CVE-2026-22247

GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5...

WordPress plugin All In One Image Viewer Block 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2025-62615

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in RSSFeedBlock, the third-party library urllib.request.urlopen is used directly to access the URL, but the inpu...

CVE-2026-1884

A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made...