EUVD-2026-10196

A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects the function fireWebhook of the file /internal/service/webhook/webhook.go. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The exploit has been made available to...

XXL-JOB 代码问题漏洞

XXL-JOB is a distributed task scheduling platform developed by Xuxueli. Versions of xxl-job 3.3.2 and earlier have code vulnerabilities. These vulnerabilities stem from operations on unknown functions in the JobInfoController.java file, which may lead to server-side request forgery attacks...

HotGo-V2 代码问题漏洞

HotGo-V2 is a secondary development framework developed by Meng Shuai as an individual project. Versions of HotGo 2.0 and earlier contained code vulnerabilities. These vulnerabilities stemmed from incorrect operations on functions in the componentEndpoint file, /server/,...

PT-2026-23938

Name of the Vulnerable Software and Affected Versions xuxueli xxl-job versions up to 3.3.2 Description A server-side request forgery condition exists in xuxueli xxl-job. The issue is located in the file source-code/src/main/java/com/xxl/job/admin/controller/JobInfoController.java, affecting an...

ContiNew Admin 代码问题漏洞

ContiNew Admin is an open-source, continuously optimized backend-to-frontend separation management system framework developed by ContiNew. Versions of ContiNew Admin 4.2.0 and earlier contained code vulnerabilities. These vulnerabilities stemmed from operations on the URI.create function in the...

CVE-2026-3683

CVE-2026-3683 affects bufanyun HotGo (up to 2.0). The vulnerability is in Endpoint’s ImageTransferStorage function (file /server/internal/logic/common/upload.go) and causes server-side request forgery (SSRF). Impact is described as remote exploitability with low to moderate confidentiality/integr...

CVE-2026-3683

A vulnerability was detected in bufanyun HotGo up to 2.0. This issue affects the function ImageTransferStorage of the file /server/internal/logic/common/upload.go of the component Endpoint. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit i...

CVE-2026-3683 bufanyun HotGo Endpoint upload.go ImageTransferStorage server-side request forgery

A vulnerability was detected in bufanyun HotGo up to 2.0. This issue affects the function ImageTransferStorage of the file /server/internal/logic/common/upload.go of the component Endpoint. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit i...

CVE-2026-3683 bufanyun HotGo Endpoint upload.go ImageTransferStorage server-side request forgery

A vulnerability was detected in bufanyun HotGo up to 2.0. This issue affects the function ImageTransferStorage of the file /server/internal/logic/common/upload.go of the component Endpoint. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit i...

CVE-2026-3681 welovemedia FFmate webhook.go fireWebhook server-side request forgery

A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects the function fireWebhook of the file /internal/service/webhook/webhook.go. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The exploit has been made available to...

CVE-2026-3681

Summary: CVE-2026-3681 affects welovemedia FFmate up to v2.0.15. The vulnerability lies in the file /internal/service/webhook/webhook.go, in the function fireWebhook, where input manipulation can trigger a server-side request forgery (SSRF) . The issue is exploitable remotely; an attacker can cra...

CVE-2026-3681 welovemedia FFmate webhook.go fireWebhook server-side request forgery

A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects the function fireWebhook of the file /internal/service/webhook/webhook.go. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The exploit has been made available to...

CVE-2026-29178

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypubfederation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/filename endpoint is vulnerable to unauthenticated SSRF...

CVE-2026-30834

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery SSRF vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs,...

CVE-2026-30832 Soft Serve: SSRF via unvalidated LFS endpoint in repo import

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is...

CVE-2026-30832

CVE-2026-30832 — Soft Serve : A authenticated SSH user could force the server to perform HTTP requests to internal/private IPs by importing a crafted --lfs-endpoint URL, enabling access to internal targets. The initial batch request is blind and metadata endpoint parsing may not yield valid LFS J...

CVE-2026-30834

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery SSRF vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs,...

CVE-2026-30834 PinchTab: SSRF with Full Response Exfiltration via Download Handler

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery SSRF vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs,...

CVE-2026-30834 PinchTab: SSRF with Full Response Exfiltration via Download Handler

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery SSRF vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs,...

CVE-2026-30834 PinchTab: SSRF with Full Response Exfiltration via Download Handler

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery SSRF vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs,...