Dify v1.6.0 - Server-Side Request Forgery

Dify v1.6.0 contains a server side request forgery caused by improper validation in controllers.console.remotefiles.RemoteFileUploadApi, letting attackers make arbitrary requests from the server, exploit requires network access. id: CVE-2025-56520 info: name: Dify v1.6.0 - Server-Side Request...

JetBrains TeamCity 代码问题漏洞

JetBrains TeamCity is a set of distributed build management and continuous integration tools developed by the Czech company JetBrains. This tool offers features such as continuous unit testing, code quality analysis, and reporting on build issues. Versions of JetBrains TeamCity prior to 2026.1 an...

SUSE CVE-2003-0098

Unknown vulnerability in apcupsd before 3.8.6, and 3.10.x before 3.10.5, allows remote attackers to gain root privileges, possibly via format strings in a request to a slave server...

CVE-2026-0502

The CVE-2026-0502 entry concerns SAP BusinessObjects Business Intelligence Platform with a CSRF protection flaw. An authenticated user can be tricked into sending unintended requests to the web server, leading to low impact on integrity and availability and no confidentiality impact. Public detai...

CVE-2026-42188 Geyser: Server-Side Request Forgery (SSRF) via Player Head Texture URL

Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery SSRF vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an...

CVE-2026-41887

The CVE-2026-41887 entry affects Flarum core prior to versions 1.8.16 and 2.0.0-rc.1, where values assigned to LESS-configurable settings (e.g., theme_primary_color/theme_secondary_color) are interpolated into LESS at compile time. An authenticated administrator can inject an arbitrary @import, e...

CVE-2026-41689 Wallos: Shared local webhook allowlist lets low-privilege users send arbitrary requests to allowlisted internal services

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use...

CVE-2026-31955

CVE-2026-31955 affects Xibo CMS prior to 4.4.1. An authenticated SSRF vulnerability in the remote DataSet functionality allows users with DataSet permissions (and the privilege to add DataSets to Layouts) to cause the CMS server to issue arbitrary HTTP requests to internal or external resources. ...

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection in the startAssetImport process. An attacker can access sensitive files on the server or initiate server-side requests by uploading specially crafted XML files containing external entity references. Thi...

Chamilo LMS 代码问题漏洞

Chamilo LMS is an open-source online learning and collaboration system developed by Chamilo. This system supports the creation of teaching content, remote training, and online quizzes. Versions of Chamilo LMS prior to 2.0.0-RC.3 contained code vulnerabilities. These vulnerabilities stemmed from...

PT-2026-31437

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE DOWNLOAD FROM URL is enabled opt-in, authenticated users can supply remote image URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation again...

GHSA-X369-MCW8-8RVJ Dark Reader gives users the ability to request style sheets from local web servers

Description Dark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example http://localhost:8080/style.css, If an address was available and returned a text/css content type. Patches The problem was fixed in...

Chamilo 代码问题漏洞

Chamilo is an open-source learning management system developed by Chamilo. Versions of Chamilo prior to 1.11.28 had code vulnerabilities. These vulnerabilities stemmed from defects in the OpenId functionality, which could lead to forged server requests without proper verification...

CVE-2026-26075

FastGPT is an AI Agent building platform. Due to the fact that FastGPT's web page acquisition nodes, HTTP nodes, etc. need to initiate data acquisition requests from the server, there are certain security issues. In addition to implementing internal network isolation in the deployment environment...

GitLab 代码问题漏洞

GitLab is an end-to-end software development platform provided by the American company GitLab. It includes built-in features such as version control, issue tracking, code review, and CI/CD Continuous Integration and Delivery. There are code-related vulnerabilities in versions of GitLab EE prior t...

CVE-2026-0532

External Control of File Name or Path CWE-73 combined with Server-Side Request Forgery CWE-918 can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticate...

CVE-2025-12388

The B Carousel Block – Responsive Image and Content Carousel plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.1.5. This is due to the plugin not validating user-supplied URLs before passing them to the wpremoterequest function. This makes it...

CVE-2025-59146 New API has Authenticated Server-Side Request Forgery (SSRF) issue

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. An authenticated Server-Side Request Forgery SSRF vulnerability exists in versions prior to 0.9.0.5. A feature within the application allows authenticated users to submit a URL for the server to...

EUVD-2007-3425

Malware in sbrugna...

EUVD-2007-0104

Malware in sbrugna...