ffmate 代码问题漏洞

ffmate is an automated media processing engine open source by We Love Media. Versions of ffmate 2.0.15 and earlier contained code vulnerabilities. These vulnerabilities stemmed from incorrect operations on the function fireWebhook in files/internal/service/webhook/webhook.go, which could lead to...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the --lfs-endpoint parameter during repository import. An attacker can cause the server to send HTTP requests to internal or private IP addresses, potentially accessing sensitive internal services or...

soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import

While auditing the codebase in the wake of the webhook SSRF fix shipped in v0.11.1 GHSA-vwq2-jx9q-9h9f, it was identified that the LFS import path was never given the same treatment. The webhook fix introduced dual-layer SSRF protection — ValidateWebhookURL at creation time and secureHTTPClient...

CVE-2026-30844

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

EUVD-2026-10063

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

CVE-2026-30844

Wekan (versions 8.32 and 8.33) is vulnerable to SSRF via attachment URL loading during board import. User-supplied JSON data contains attachment URLs that are read by the server without URL validation or filtering. The parseActivities() and parseActions() flows extract these URLs and pass them to...

CVE-2026-29178

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypubfederation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/filename endpoint is vulnerable to unauthenticated SSRF...

CVE-2026-29178

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypubfederation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/filename endpoint is vulnerable to unauthenticated SSRF...

CVE-2026-29178

CVE-2026-29178 affects Lemmy via the activitypub_federation Rust framework. Before version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through injection of parameters in file_type, enabling an internal request to pict-rs and use of the proxy parameter ...

CVE-2025-45691

A flaw was found in Ragas. Improper validation of URLs supplied in the retrievedcontexts parameter when handling multimodal inputs leads to Server-Side Request Forgery SSRF. This vulnerability allows attackers to perform arbitrary file reads, conduct internal port scans and access cloud metadata...

CVE-2026-28680

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata IMDS or probe internal network services. This issue has been patched in...

CVE-2026-28680 Ghostfolio: Full-Read SSRF in Manual Asset Import

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata IMDS or probe internal network services. This issue has been patched in...

CVE-2026-28680

CVE-2026-28680 affects Ghostfolio before version 2.245.0. An attacker can abuse the manual asset import feature to perform a full-read SSRF, enabling exfiltration of sensitive cloud metadata (IMDS) and the ability to probe internal network services. The vulnerability exhibits high confidentiality...

CVE-2026-28677 OpenSift: Insufficient URL destination restrictions in ingest flow could enable SSRF-style internal access

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote URLs with incomplete destination restrictions. Although private/local host checks existed, missing...

CVE-2026-28677 OpenSift: Insufficient URL destination restrictions in ingest flow could enable SSRF-style internal access

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote URLs with incomplete destination restrictions. Although private/local host checks existed, missing...

CVE-2026-28677

OpenSift prior to v1.6.3-alpha exposed an SSRF vulnerability in the URL ingest pipeline due to incomplete destination restrictions on user-controlled URLs. In non-localhost deployments, credentialed URLs, non-standard ports, and cross-host redirects created abuse paths. The issue has been patched...

WeKan 代码问题漏洞

WeKan is an open-source dashboard application developed by WeKan. Versions 8.32 and 8.33 of WeKan have code vulnerabilities. These vulnerabilities stem from server-side request forgery, which may lead to arbitrary HTTP requests and access to internal network services...

OpenSift 代码问题漏洞

OpenSift is an open-source artificial intelligence learning assistant developed by OpenSift. Versions of OpenSift prior to 1.6.3-alpha contained code vulnerabilities. These vulnerabilities stemmed from the URL ingestion pipeline accepting remotely controlled URLs under user control, resulting in...

Plane 代码问题漏洞

Plane is an open-source, self-hosted project planning tool developed by Plane OpenSource. Versions of Plane prior to 1.2.3 contained code vulnerabilities. These vulnerabilities stemmed from the Webhook URL validation only checking ip.isloopback, which could allow attackers with the ADMIN role to...

Ghostfolio 代码问题漏洞

Ghostfolio is an open-source personal wealth management software developed by Ghostfolio. Versions of Ghostfolio prior to 2.245.0 contained code vulnerabilities. These vulnerabilities stemmed from a flaw in the manual asset import function, where a complete read server-side request forgery was...