CVE-2026-43526 OpenClaw < 2026.4.12 - Server-Side Request Forgery via QQBot Reply Media URL Handling

OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded...

CVE-2026-42439

OpenClaw prior to 2026.4.10 contains a server-side request forgery policy bypass in the browser tabs action routes (/tabs/action). This allows bypassing configured SSRF protections to perform unauthorized tab navigation operations. Affected: OpenClaw; vulnerability likely affects the browser tabs...

EUVD-2026-27255

OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page conten...

EUVD-2026-27173

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the importimages function. This makes it possible for authenticated attackers, with contributor-level access and above, t...

CVE-2026-2948

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the importimages function. This makes it possible for authenticated attackers, with contributor-level access and above, t...

CVE-2026-2948

The vulnerability CVE-2026-2948 affects the Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress (versions ≤ 3.5.3). It permits Server-Side Request Forgery via the import_images() function, exploitable by authenticated users with contributor-level access or higher. T...

CVE-2026-2948 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl'

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the importimages function. This makes it possible for authenticated attackers, with contributor-level access and above, t...

CVE-2026-2948 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl'

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the importimages function. This makes it possible for authenticated attackers, with contributor-level access and above, t...

CLSA-2026-1777945456 httpd: Fix of 2 CVEs

CVE-2024-42516: fix HTTP response splitting in core httpd via header merging refactor in modules/http/httpfilters.c - CVE-2024-43204: fix SSRF in modproxy when modheaders is configured to modify Content-Type from request input...

PT-2026-37253

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description An incomplete fix for Server-Side Request Forgery SSRF in the fetch metadata.php file allows for DNS rebinding. The system validates the resolved IP address but passes the original hostname-based URL...

WordPress plugin Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There we...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.14 contained security vulnerabilities. These vulnerabilities were due to improper access control in browser snapshots, screenshot generation, and tag routing. As a result,...

OpenClaw 代码问题漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.12 had code vulnerabilities. These vulnerabilities stemmed from server-side request forgeing in the handling of media URLs by the QQBot. This could allow attackers to provide...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.10 contained security vulnerabilities. These vulnerabilities were due to a bypass of the server-side request forgery strategy used in browser tab operations, such as selecting a...

PT-2026-37221

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

PT-2026-36962

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import images function. This makes it possible for authenticated attackers, with contributor-level access and above, ...

axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization

A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NOPROXY rules. An attacker can exploit this by crafting requests to loopback addresses e.g., localhost. or ::1 which bypass the NOPROXY...

Server-side Request Forgery (SSRF)

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the setconfigvalue function. An attacker can intercept all outbound HTTP traffic, steal credentials, and inject...

CVE-2026-7604

A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is...

CVE-2026-7603

A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the...