WordPress Webmention plugin <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery vulnerability

Authenticated Subscriber+ Server-Side Request Forgery vulnerability discovered by Duong Quang Hao in WordPress Plugin Webmention versions = 5.6.2...

CVE-2026-0686

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parseauthorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations...

CVE-2026-0686

The CVE-2026-0686 entry concerns the WordPress Webmention plugin. Affected component/function: MF2::parse_authorpage and Receiver::post, enabling Server-Side Request Forgery (SSRF) in all versions up to and including 5.6.2. This allows unauthenticated attackers to issue web requests from the vuln...

CVE-2026-0686 Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parseauthorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations...

CVE-2026-0688

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

CVE-2026-0688

The CVE concerns the WordPress Webmention plugin (versions up to and including 5.6.2) with a Server-Side Request Forgery due to Tools::read. An authenticated attacker with Subscriber-level access or higher can cause the web application to issue requests to arbitrary external/internal locations, p...

CVE-2026-0688 Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

CVE-2026-0688 Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

CVE-2026-5323

The CVE-2026-5323 entry affects priyankark a11y-mcp (up to 1.0.5), specifically the A11yServer function in src/index.js, causing a server-side request forgery. Exploitation requires a local position. An exploit has been made public. Upgrade to version 1.0.6 to resolve, with patch id e3e11c9e8482b...

CVE-2026-5323 priyankark a11y-mcp index.js A11yServer server-side request forgery

A vulnerability was found in priyankark a11y-mcp up to 1.0.5. This vulnerability affects the function A11yServer of the file src/index.js. The manipulation results in server-side request forgery. The attack must be initiated from a local position. The exploit has been made public and could be use...

WordPress Webmention plugin <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery vulnerability

Unauthenticated Blind Server-Side Request Forgery vulnerability discovered by Duong Quang Hao in WordPress Plugin Webmention versions = 5.6.2...

Docker Desktop < 4.67.0 SSRF

The version of Docker Desktop is prior to 4.67.0. It is therefore affected by a server-side request forgery vulnerability. - Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry’s...

Gitroom Postiz 代码问题漏洞

Gitroom Postiz is an open-source social media scheduling tool developed by Gitroom. Versions of Gitroom Postiz prior to 2.21.3 contained code vulnerabilities. These vulnerabilities stemmed from the lack of server-side request forgery protection in the POST /public/v1/upload-from-url endpoint, whi...

PT-2026-29686

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 in the 'MF2::parse authorpage' function via the 'Receiver::post' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations...

PT-2026-29853

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith'mp4', which is trivially bypassable by...

PT-2026-29787

A vulnerability was determined in huimeicloud hm editor up to 2.2.3. Impacted is the function client.get of the file src/mcp-server.js of the component image-to-base64 Endpoint. Executing a manipulation of the argument url can lead to server-side request forgery. It is possible to launch the atta...

Microsoft Azure Custom Locations Resource Provider 代码问题漏洞

Microsoft Azure Custom Locations Resource Provider is a service component developed by Microsoft Corporation in the United States. It serves to extend, manage, and integrate custom data centers or edge resources. There is a code vulnerability in Microsoft Azure Custom Locations Resource Provider,...

PT-2026-29687

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

SillyTavern 代码问题漏洞

SillyTavern is a frontend interface for the SillyTavern open-source language model. Versions of SillyTavern prior to 1.17.0 had code vulnerabilities; these vulnerabilities stemmed from a hostname check that only matched literal dotted-decimal IPv4 addresses, which could lead to server-side reques...

A11y MCP Server 代码问题漏洞

A11y MCP Server is a web accessibility testing tool developed by Priyankar Kumar as an individual project. Versions of A11y MCP Server 1.0.5 and earlier contained code vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing vulnerability in the A11yServer function locat...