PT-2025-38543

Name of the Vulnerable Software and Affected Versions Accela Automation Platform version 22.2.3.0.230103 Description Accela Automation Platform contains multiple issues within the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, potentially...

PT-2025-38590

Name of the Vulnerable Software and Affected Versions StorageGRID versions prior to 11.8.0.15 StorageGRID versions prior to 11.9.0.8 Description StorageGRID formerly StorageGRID Webscale is susceptible to a Server-Side Request Forgery SSRF issue. A successful exploit could allow an unauthenticate...

CVE-2025-58045

Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12, the patch introduced to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the rmi parameter. The ldap parameter in the DB2 JDBC connection string was not...

Linux Distros Unpatched Vulnerability : CVE-2025-59437

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOT...

PT-2025-38254

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0 Description Dragonfly is a P2P-based file distribution and image acceleration system susceptible to a server-side request forgery SSRF vulnerability. This flaw allows users to force Dragonfly2’s components to...

CVE-2025-59436

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415...

CVE-2025-59436

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415...

CVE-2025-10471

A vulnerability was detected in ZKEACMS 4.3. Impacted is the function Proxy of the file src/ZKEACMS/Controllers/MediaController.cs. Performing manipulation of the argument url results in server-side request forgery. It is possible to initiate the attack remotely. The exploit is now public and may...

PT-2025-37724

Name of the Vulnerable Software and Affected Versions: ZKEACMS version 4.3 Description: A vulnerability exists in ZKEACMS that allows for server-side request forgery. The issue is located in the Proxy function within the src/ZKEACMS/Controllers/MediaController.cs file. Manipulation of the url...

CVE-2025-10397 Magicblack MacCMS API server-side request forgery

A vulnerability was identified in Magicblack MacCMS 2025.1000.4050. This affects an unknown part of the component API Handler. The manipulation of the argument cjurl leads to server-side request forgery. The attack can be initiated remotely. The exploit is publicly available and might be used...

CVE-2025-10395

A vulnerability was found in Magicblack MacCMS 2025.1000.4050. Affected by this vulnerability is the function colurl of the component Scheduled Task Handler. Performing manipulation of the argument cjurl results in server-side request forgery. It is possible to initiate the attack remotely...

CVE-2025-54249

Adobe Experience Manager (AEM) versions 6.5.23.0 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that can bypass security features and allow unauthorized read access. The CVE identifier is CVE-2025-54249. Evidence from connected documents shows the issue is specific...

Security Bulletin: Insufficient URI Authority Validation in Eclipse Jetty's HttpURI Class Enables Open Redirect and SSRF Risks, affects watsonx.data

Summary Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common...

CVE-2025-9065 Rockwell Automation ThinManager® Server-Side Request Forgery Vulnerability

A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization. Authenticated attackers can exploit this vulnerability by specifying external SMB paths, exposing the ThinServer® service account NTLM hash...

Linux Distros Unpatched Vulnerability : CVE-2018-7667

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Adminer through 4.3.1 has SSRF via the server parameter. CVE-2018-7667 Note that Nessus relies on the presence of the package as reported by the vendor...

Linux Distros Unpatched Vulnerability : CVE-2021-39894

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Sid...

GHSA-4342-X723-CH2F Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next. In self-hosted applications, this could allow Server-Side Request Forgery SSRF if certain sensitive headers from the incoming request...

Linux Distros Unpatched Vulnerability : CVE-2022-0249

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was discovered in GitLab starting with version 12. GitLab was vulnerable to a blind SSRF attack since requests to shared address space were not...

CVE-2025-9414

A vulnerability was found in kalcaddle kodbox 1.61. Affected by this vulnerability is an unknown functionality of the file /?explorer/upload/serverDownload of the component Download from Link Handler. Performing manipulation of the argument url results in server-side request forgery. Remote...

CVE-2025-9414

Kalcaddle Kodbox 1.61 contains a server-side request forgery in the Download from Link Handler, via manipulation of the url parameter in /?explorer/upload/serverDownload. Remote exploitation is possible and the exploit has been published. PT-2025-34698 confirms the issue and notes there is no inf...