343 matches found
CVE-2026-49213 TypeBot: SSRF protection bypass via IPv6 unspecified address in Typebot HTTP request execution
TypeBot is a chatbot builder tool. Prior to 3.17.2, Typebot's shared SSRF validator in packages/lib/src/ssrf/validateHttpReqUrl.ts can be bypassed with the IPv6 unspecified address :: because validateIPAddress blocks local, metadata, and private ranges but does not block :: or its expanded form. ...
CVE-2026-54607
FastGPT exposed an SSRF issue in the HTTP-tool OpenAPI schema importer prior to 4.15.0-beta4. The importer validates only the top-level URL before handing refs to SwaggerParser.bundle, whose resolver can fetch and inline $ref URLs bypassing FastGPT’s internal-address guard, enabling an authentica...
CVE-2026-58468
NocoBase up to version 2.1.20 is affected by a server-side request forgery via the serverRequest wrapper. Authenticated administrators can craft arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin. Exploitation ta...
Vulnerabilities found in UniFi products from Ubiquiti Networks
Ubiquiti Networks has identified vulnerabilities in various UniFi products, including UniFi Connect Application, UniFi Talk Application, UniFi Access Application, UniFi OS, UniFi Network Application, and UniFi Protect Application. These vulnerabilities involve command injection, SQL injection,...
CVE-2026-48203
CVE-2026-48203 affects Apache Camel’s Solr component. The vulnerability arises because SolrParam.* and SolrField.* headers are copied into Solr request parameters and indexed fields without respecting the Camel/HTTP header boundary, enabling an unauthenticated HTTP client to inject arbitrary Solr...
CVE-2026-55115
A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery SSRF in UniFi Protect Application to escalate privileges on the host device...
DEBIAN-CVE-2026-28385
In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery SSRF vulnerability in the image import functionality allows authenticated users with the cancreateimages entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a...
CVE-2026-13318
A server-side request forgery SSRF flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance VMI, virt-api reads the target IP from vmi.Status.Interfaces0.IP and passes it directly to net.Dial without validation. For VMIs using...
CVE-2026-12975 Apicurio/apicurio-registry: apicurio-registry: unhardened saxparser in content-type detection leads to blind xxe / ssrf / billion-laughs dos
A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission or unauthenticated when the registry runs with default...
CVE-2026-57535
Content injected to PDF rendering contexts could, in many places, include HTML content including tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server a...
CVE-2026-49979
Appsmith prior to version 1.99 exposes a vulnerability in the POST /api/v1/admin/send-test-email endpoint. An attacker can supply smtpHost and smtpPort values to establish a raw JavaMail TCP connection, bypassing WebClientUtils.IP_CHECK_FILTER (which only applies to Spring WebClient HTTP requests...
EUVD-2026-38537
In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to...
PT-2026-51459
Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Description An information disclosure issue exists in the Mirror Settings functionality, which allows authenticated users to import local repositories from the server filesystem. This occurs due to a lack o...
CVE-2026-49359
PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 is vulnerable: the attachment option for Pdf can accept any value that passes filter_var(url), including http, https, ftp, file, and PHP streams like php://. The library fetches these values server-side via file_get_contents, allow...
GHSA-JRFP-M64G-PCWV Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects
Summary The SafePlaywrightURLLoader implements a validateurl function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL. Since Playwright automatically follows HTTP redirects 301/302 by default, an attacker c...
GHSA-365W-HQF6-VXFG Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
Summary Multiple security vulnerabilities in the Crawl4AI Docker API server affecting endpoints for crawling, markdown/LLM extraction, screenshots, PDFs, webhooks, monitoring, JavaScript execution, and configuration. Vulnerabilities 1. Arbitrary File Write via /screenshot and /pdf CWE-22, CVSS 9....
Crawl4AI: SSRF filter bypass in Docker server via IPv6 transition forms (NAT64 / 6to4 / unspecified / v4-mapped)
The Docker API server's SSRF protection validatewebhookurl / validateurldestination in deploy/docker/utils.py used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach internal services and cloud metadata endpoints e.g. 169.254.169.254 despite the...
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
Multiple security vulnerabilities in the Crawl4AI Docker API server affecting endpoints for crawling, markdown/LLM extraction, screenshots, PDFs, webhooks, monitoring, JavaScript execution, and configuration...
CVE-2026-53607
Technical details are not publicly available in the provided documents. Monitor for updates and confirm when patched versions or advisories are published.
PT-2026-48965
Name of the Vulnerable Software and Affected Versions Koel versions prior to 9.7.1 Description An authenticated, non-admin user can cause the server to make HEAD or GET requests to arbitrary internal hosts. This occurs because the validation rules for the url field in the "POST /api/radio/station...