CVE-2026-33480 AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the isSSRFSafeURL function in AVideo can be bypassed using IPv4-mapped IPv6 addresses ::ffff:x.x.x.x. The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching the...

CVE-2026-33480

CVE-2026-33480 affects WWBN AVideo up to version 26.0, where the isSSRFSafeURL() SSRF protection in the unauthenticated plugin/LiveLinks/proxy.php can be bypassed using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x). Exploitation enables unauthenticated access to cloud instance metadata, internal ne...

CVE-2026-33351

CVE-2026-33351 affects WWBN AVideo prior to version 26.0, with a Server-Side Request Forgery (SSRF) in the Live plugin’s standalone deployment using the user-supplied webSiteRootURL to build a server-side request via file_get_contents(). The vulnerability enables unauthenticated SSRF, potentially...

CVE-2026-33351 AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass

WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery SSRF vulnerability exists in plugin/Live/standAloneFiles/saveDVR.json.php. When the AVideo Live plugin is deployed in standalone mode the intended configuration for this file, the...

CVE-2026-4589

A vulnerability was identified in kalcaddle kodbox 1.64. The affected element is the function PathDriverUrl of the file /workspace/source-code/app/controller/explorer/editor.class.php of the component fileGet Endpoint. Such manipulation of the argument path leads to server-side request forgery. T...

CVE-2026-4589 kalcaddle kodbox fileGet Endpoint editor.class.php PathDriverUrl server-side request forgery

A vulnerability was identified in kalcaddle kodbox 1.64. The affected element is the function PathDriverUrl of the file /workspace/source-code/app/controller/explorer/editor.class.php of the component fileGet Endpoint. Such manipulation of the argument path leads to server-side request forgery. T...

CVE-2026-4589

The CVE-2026-4589 entry concerns kalcaddle kodbox 1.64. The vulnerability resides in the PathDriverUrl function in /workspace/source-code/app/controller/explorer/editor.class.php of the fileGet Endpoint, where argument path manipulation enables server-side request forgery (SSRF). The issue is exp...

CVE-2026-4589 kalcaddle kodbox fileGet Endpoint editor.class.php PathDriverUrl server-side request forgery

A vulnerability was identified in kalcaddle kodbox 1.64. The affected element is the function PathDriverUrl of the file /workspace/source-code/app/controller/explorer/editor.class.php of the component fileGet Endpoint. Such manipulation of the argument path leads to server-side request forgery. T...

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained code vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing vulnerability in the plugin/Live/standAloneFiles/saveDVR.json.php file. Thi...

PT-2026-27236

OpenClaw before 2026.3.1 contains a server-side request forgery vulnerability in web search citation redirect resolution that allows attackers to target private-network destinations. Attackers who influence citation redirect targets can trigger internal-network requests from the OpenClaw gateway...

Kalcaddle Kodbox 代码问题漏洞

Kalcaddle Kodbox is a private cloud storage and online collaborative office platform developed by Kalcaddle Corporation. Version 1.64 of kalcaddle Kodbox contains a code vulnerability. This vulnerability stems from incorrect handling of parameters “path” in the component fileGet Endpoint,...

OpenSource-WorkShop Connect-CMS 代码问题漏洞

OpenSource-WorkShop Connect-CMS is a content management system developed by the OpenSource-WorkShop company, designed for easy website creation. Versions of OpenSource-WorkShop Connect-CMS prior to 1.41.0 and 2.41.0 contain code vulnerabilities. These vulnerabilities stem from the Page Management...

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 26.0 contained code vulnerabilities; these vulnerabilities stemmed from a lack of access control at the test.php endpoint, which could lead to server-side request forgeing...

esaml 安全漏洞

esaml is a library developed by Australian developer Lexi Wilson for handling SAML authentication. It provides functions for SAML service providers and identity providers. esaml has a security vulnerability, which stems from the undisabled XML entity extensions. This vulnerability may lead to XML...

CVE-2026-33294

WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint plugin/BulkEmbed/save.json.php fetches user-supplied thumbnail URLs via urlgetcontents without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with...

CVE-2026-33294 AVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network Resources

WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint plugin/BulkEmbed/save.json.php fetches user-supplied thumbnail URLs via urlgetcontents without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with...

EUVD-2026-14258

A vulnerability was determined in trueleaf ApiFlow 0.9.7. The impacted element is the function validateUrlSecurity of the file packages/server/src/service/proxy/httpproxy.service.ts of the component URL Validation Handler. This manipulation causes server-side request forgery. Remote exploitation ...

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 26.0 contained code vulnerabilities. These vulnerabilities stemmed from the BulkEmbed plugin’s save endpoint, which did not implement SSRF protection when retrieving the...

CVE-2026-4528

A vulnerability was determined in trueleaf ApiFlow 0.9.7. The impacted element is the function validateUrlSecurity of the file packages/server/src/service/proxy/httpproxy.service.ts of the component URL Validation Handler. This manipulation causes server-side request forgery. Remote exploitation ...

CVE-2026-4528

CVE-2026-4528 affects trueleaf ApiFlow 0.9.7. The vulnerability lies in the function validateUrlSecurity within packages/server/src/service/proxy/http_proxy.service.ts of the URL Validation Handler , enabling server-side request forgery (SSRF) . Remote exploitation is possible and the exploit has...