Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata

Summary The GET /api/website/title endpoint accepts an arbitrary URL via the websiteurl query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network...

CVE-2026-34515

CVE-2026-34515 affects the AIOHTTP framework prior to 3.13.4. On Windows, the static resource handler could expose information about a NTLMv2 remote path, enabling UNC SSRF and potential credential exposure or local file read. The issue has been fixed in version 3.13.4. The CVE entry (CVE-2026-34...

CVE-2026-31943

LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, isPrivateIP in packages/api/src/auth/domain.ts fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests ...

SUSE CVE-2026-33206

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the...

websec-payloads

Web Security Payloads & Exploitation Reference Comprehensiv...

EUVD-2026-16764

LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, isPrivateIP in packages/api/src/auth/domain.ts fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests ...

CVE-2026-33766

WWBN AVideo (open-source video platform) versions up to 26.0 are affected by an SSRF protection bypass in image-download endpoints. The root cause is that isSSRFSafeURL() validates the URL against private/reserved IP ranges at check-time, but url_get_contents() follows HTTP redirects without re-v...

CVE-2026-33206

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the...

Calibre 安全漏洞

Calibre is an open-source, free tool developed by Kovid Goyal, a personal developer from India. It serves as a comprehensive e-book reading management and format conversion tool. Versions of Calibre prior to 9.6.0 contained security vulnerabilities. These vulnerabilities stemmed from a path...

CVE-2026-33644 Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in PhotoUrlRule.php can be bypassed using DNS rebinding. The IP validation check line 86-89 only activates when the hostname is an IP address. When a domain name is used, filtervar$host,...

CVE-2026-33537

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...

CVE-2026-33537 Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...

CVE-2026-33237

WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's run function in plugin/Scheduler/Scheduler.php calls urlgetcontents with an admin-configurable callbackURL that is validated only by isValidURL URL format check. Unlike other AVideo endpoints that were...

CVE-2026-33399

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validatewebhookurlforssrf protection was added to the test notification endpoints but not to the...

CVE-2026-24964 WordPress Contest Gallery plugin <= 28.1.2.1 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery SSRF vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.This issue affects Contest Gallery: from n/a through = 28.1.2.1...

CVE-2026-33679

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DownloadImage function in pkg/utils/avatar.go uses a bare http.Client with no SSRF protection when downloading user avatar images from the OpenID Connect picture claim URL. An attacker who controls their...

CVE-2026-33675

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions DownloadFile and DownloadFileWithHeaders in pkg/modules/migration/helpers.go make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trell...

CVE-2026-33679 Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DownloadImage function in pkg/utils/avatar.go uses a bare http.Client with no SSRF protection when downloading user avatar images from the OpenID Connect picture claim URL. An attacker who controls their...

CVE-2026-22739 Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from...

CVE-2026-22739 Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from...