CVE-2026-6333

Mattermost versions 11.5.x <= 11.5.1 and 10.11.x

📄 Lobster_pro Arbitrary File Read / Server-Side Request Forgery

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobsterpro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. -----BEGIN PGP...

EUVD-2026-30636

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. This vulnerability is fixed in 0.9.5...

CVE-2021-47958

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal service...

CVE-2026-39053

Oinone Pamirs 7.0.0 contains an XML External Entity XXE issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML... or ViewXmlUtils.fromXML..., unsafe XML processing can lead to file disclosure or SSRF...

Server-side Request Forgery (SSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through getcontentfromurl in retrieval/utils.py, SafeWebBaseLoader in web/base.py, and imageedits in routers/images.py. An attacker can cause the server to fetch internal...

CVE-2026-44661

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the utcp-http plugin is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registermanual validates the discovery URL against an HTTPS /...

CVE-2026-44589 nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)

Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl denylist introduced in [email protected] to remediate GHSA-pqhr-mp3f-hrpp Dmitry Prokhorov / Positive Technologies, March 2026 is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validatio...

Missing Authentication

github.com/dgraph-io/dgraph is vulnerable to Missing Authentication. The vulnerability is due to the restoreTenant admin mutation missing authorization middleware validation, which allows an unauthenticated attacker to overwrite the database, access server-side files via file:// paths, and perfor...

CVE-2026-42281 MagicMirror²: Unauthenticated SSRF via /cors endpoint

MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery SSRF vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadat...

CVE-2026-42596 Gotenberg: Unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as...

PT-2026-41184

Name of the Vulnerable Software and Affected Versions @utcp/http versions prior to 1.1.2 Description The @utcp/http package is subject to a blind Server-Side Request Forgery SSRF, a flaw where an attacker can force the server to make requests to an unintended location. This is caused by a...

CVE-2026-44363

MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTPS URLs without sufficient validation, which could allo...

CVE-2026-44363 Unsafe remote resource fetching in expansion misp-modules

MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTPS URLs without sufficient validation, which could allo...

Next.js 代码问题漏洞

Next.js is a React framework open source by Vercel. Versions of Next.js from 13.4.13 to 15.5.16, as well as versions before 16.2.5, have code vulnerabilities. These vulnerabilities stem from the use of the built-in Node.js server for hosting. When a custom WebSocket upgrade request is made, it ma...

CVE-2026-42260 Open-WebSearch: SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF wit...

Xibo 代码问题漏洞

Xibo is a digital signage content management tool developed by Dan Garner personally. Versions of Xibo prior to 4.4.1 contained code vulnerabilities. These vulnerabilities stemmed from server-side request forgery attacks, which could allow authenticated users to scan internal infrastructure or...

EUVD-2026-29211

A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the component updatePlatformConfigByKey Endpoint. Such manipulation of the argument weixinUrl lead...

CVE-2026-2393

CVE-2026-2393: MLflow prior to 3.9.0 is vulnerable to SSRF via a user-controlled webhook URL. The _create_webhook() handler stores the URL without validation, and _send_webhook_request() POSTs to that URL, enabling an authenticated attacker to cause the MLflow backend to reach internal services, ...

GHSA-XH5J-727M-W6GG Budibase vulnerable to SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)

Summary | Field | Value | |-------|-------| | Title | SSRF via trivial .tar.gz substring bypass in Plugin URL upload | | Product | Budibase Self-Hosted | | Version | ≤ 3.34.11 latest stable as of 2026-03-30 | | Component | packages/server/src/api/controllers/plugin/url.ts | | Vulnerability Type...