CVE-2026-42175 requests-hardened: Server-Side Request Forgery (SSRF) in requests-hardened RFC 6598

requests-hardened is a library that overrides the default behaviors of the requests library, and adds new security features. Prior to , the SSRF protection in requests-hardened fails to block IP addresses within the RFC 6598 Shared Address Space 100.64.0.0/10. An attacker who can supply arbitrary...

CVE-2026-43929

The provided sources describe a concrete SSRF vulnerability in ssrfcheck (CVE-2026-43929) where IPv4 private addresses encoded as IPv4-mapped IPv6 inside URLs bypass the library’s private-IP denial logic. In ssrfcheck v1.3.0 and earlier, the WHATWG URL parser normalizes IPv4-mapped inputs to hex ...

CVE-2026-43993

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch on agent-supplied URLs without validating scheme, port, or resolved IP, resulting in an SSRF vulnerability. This vulnerability is fixed in 0.x.y-security-1...

CVE-2026-42141

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery SSRF vulnerability in the Xibo CMS allows users with Library upload permissions to make arbitrary HTTP requests fr...

CVE-2026-42141 Xibo: Authenticated Server-Side Request Forgery (SSRF) in Library Upload via URL functionality

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery SSRF vulnerability in the Xibo CMS allows users with Library upload permissions to make arbitrary HTTP requests fr...

CVE-2026-42141

CVE-2026-42141 affects Xibo CMS prior to 4.4.1, where an authenticated user with Library upload permissions can trigger SSRF via the /library/uploadUrl endpoint by supplying a URL parameter. The vulnerability allows the CMS server to perform arbitrary HTTP requests to internal or external resourc...

CVE-2026-43993 JunoClaw: SSRF in WAVS computeDataVerify allows cloud-metadata and internal-service access

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch on agent-supplied URLs without validating scheme, port, or resolved IP, resulting in an SSRF vulnerability. This vulnerability is fixed in 0.x.y-security-1...

CVE-2026-43993 JunoClaw: SSRF in WAVS computeDataVerify allows cloud-metadata and internal-service access

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch on agent-supplied URLs without validating scheme, port, or resolved IP, resulting in an SSRF vulnerability. This vulnerability is fixed in 0.x.y-security-1...

CVE-2026-43993

CVE-2026-43993 : In JunoClaw’s WAVS bridge, the function computeDataVerify fetched agent-supplied URLs without validating the URL scheme, port, or resolved IP, enabling an SSRF vulnerability. Affected version range is prior to 0.x.y-security-1 . This could allow access to cloud-metadata and inter...

CVE-2026-42260

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF wit...

CVE-2026-30810

Pandora FMS versions 777–800 have a Server-Side Request Forgery vulnerability that enables privilege escalation via the API Checker extension (CVE-2026-30810). The CVSSv4 base score is 7.1 (HIGH) with NETWORK vector, LOW attack complexity, and LOW privileges required. Documents confirm SSRF and p...

CVE-2026-30810 Server-Side Request Forgery in API Checker leads to Privilege Escalation

Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800...

CVE-2026-42641

Server-Side Request Forgery SSRF vulnerability in ILLID Share This Image share-this-image allows Server Side Request Forgery.This issue affects Share This Image: from n/a through = 2.14...

CVE-2026-42260

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF wit...

PT-2026-40548

Name of the Vulnerable Software and Affected Versions SillyTavern versions prior to 1.18.0 Description SillyTavern is a locally installed user interface for interacting with large language models, image generation engines, and text-to-speech voice models. The corsProxyMiddleware function forwards...

Pandora FMS 代码问题漏洞

Pandora FMS is a monitoring system developed by the American company Pandora FMS. This system provides visual monitoring of networks, servers, virtual infrastructure, and applications. There are code vulnerabilities in versions 777 to 800 of Pandora FMS, which stem from server-side request forger...

dssrf 安全漏洞

DSSRF is a URL and network verification library developed by RelunSec’s individual developers, designed for defending against SSRF vulnerabilities. Versions of DSSRF prior to 1.3.0 contained security vulnerabilities, which stemmed from the ability to bypass the isurlsafe check for each IPv6...

JunoClaw 代码问题漏洞

JunoClaw is a decentralized AI proxy platform developed by Dragonmonk111. Versions of JunoClaw prior to 0.x.y-security-1 contained code vulnerabilities. These vulnerabilities stemmed from the computeDataVerify function in the WAVS bridge, which did not validate the protocol, port, or parse the IP...

CVE-2026-42188 Geyser: Server-Side Request Forgery (SSRF) via Player Head Texture URL

Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery SSRF vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an...

CVE-2026-42188

CVE-2026-42188 (Geyser SSRF) : A server-side request forgery vulnerability exists in Geyser’s handling of Bedrock player head textures. Before version 2.9.3, a crafted Base64-encoded skin texture URL supplied via the /give command can cause the Minecraft server to issue arbitrary HTTP GET request...