CVE-2025-26515

StorageGRID (formerly StorageGRID Webscale) is affected by CVE-2025-26515, a Server-Side Request Forgery (SSRF) in versions prior to 11.8.0.15 and 11.9.0.8 when Single Sign-On is not enabled. An unauthenticated attacker could change the password of any Grid Manager or Tenant Manager non-federated...

CVE-2025-26515 CVE-2025-26515 Server-Side Request Forgery Vulnerability in StorageGRID (formerly StorageGRID Webscale)

StorageGRID formerly StorageGRID Webscale versions prior to 11.8.0.15 and 11.9.0.8 without Single Sign-on enabled are susceptible to a Server-Side Request Forgery SSRF vulnerability. Successful exploit could allow an unauthenticated attacker to change the password of any Grid Manager or Tenant...

CVE-2025-57644

Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting in remote code execution. In addition, improper input validation allows for arbitrary file write a...

CVE-2025-9862

Server-Side Request Forgery SSRF vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from 6.0.0 through 6.0.8, from 5.99.0 through 5.130.3...

CVE-2025-59344 AliasVault Vulnerable to Server-Side Request Forgery via Favicon Extraction

AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery SSRF vulnerability exists in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The extractor fetches a user-supplied URL, parses the returned HTML, and follows...

CVE-2025-59344

AliasVault API <= 0.23.0 is affected by an SSRF in the favicon extraction flow. The extractor fetches a user-supplied URL, parses HTML, and follows . It validates the initial URL to HTTP(S) default ports but follows redirects and does not block loopback/internal IP ranges, allowing an authenti...

OESA-2025-2317 python-pip security update

pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %b=$pkg-config --variable=completionsdir bash-completion 2/dev/null; echo $b:-/bashcompletion.d Name: python-pip Version: 23.3.1 Release: 3 Summary: A...

Flowise < 3.0.6 Multiples Vulnerabilities

According to its banner, the version of Flowise running on the remote host is 3.0.6. It is, therefore, affected by multiple vulnerabilities : - An Unauthenticated Password Reset Token Disclosure - A Server-Side Request Forgery vulnerability in the /api/v1/fetch-links endpoint - A Remote Code...

NetApp StorageGRID 安全漏洞

NetApp StorageGRID is a suite of object storage solutions from Network Appliance NetApp. A security vulnerability exists in NetApp StorageGRID versions prior to 11.8.0.15 and prior to 11.9.0.8, which stems from the failure to enable single sign-on and could lead to a server-side request forgery...

CVE-2025-57644

CVE-2025-57644 affects Accela Automation Platform 22.2.3.0.230103 (Test Script feature). An authenticated administrative user can execute arbitrary Java code on the server, enabling remote code execution. Additional flaws include improper input validation that allows arbitrary file write and serv...

Server-Side Request Forgery (SSRF)

phpoffice/phpspreadsheet is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper input validation because the setPath method in the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class allows attackers to craft requests to internal resources...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the CreatePreheat process and peer-to-peer communication mechanisms. An attacker can access internal network resources by supplying crafted URLs to API endpoints or by leveraging peer requests,...

GHSA-G2RQ-JV54-WCPR Dragonfly vulnerable to server-side request forgery

Impact There are multiple server-side request forgery SSRF vulnerabilities in the DragonFly2 system. The vulnerabilities enable users to force DragonFly2’s components to make requests to internal services, which otherwise are not accessible to the users. One SSRF attack vector is exposed by the...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the CreatePreheat process and peer-to-peer communication mechanisms. An attacker can access internal network resources by supplying crafted URLs to API endpoints or by leveraging peer requests,...

Dragonfly vulnerable to server-side request forgery

Impact There are multiple server-side request forgery SSRF vulnerabilities in the DragonFly2 system. The vulnerabilities enable users to force DragonFly2’s components to make requests to internal services, which otherwise are not accessible to the users. One SSRF attack vector is exposed by the...

CVE-2025-59346 Dragonfly server-side request forgery vulnerability

Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery SSRF vulnerability that enables users to force DragonFly2’s components to make requests to internal services that are otherwise not accessible to...

CVE-2025-59346

Technical details for CVE-2025-59346 are not provided in the connected documents. Public details require checking the primary sources and monitoring for updates.

CVE-2025-10471

A vulnerability was detected in ZKEACMS 4.3. Impacted is the function Proxy of the file src/ZKEACMS/Controllers/MediaController.cs. Performing manipulation of the argument url results in server-side request forgery. It is possible to initiate the attack remotely. The exploit is now public and may...

CVE-2025-9862

Server-Side Request Forgery SSRF vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from 6.0.0 through 6.0.8, from 5.99.0 through 5.130.3...

CVE-2025-57055

WonderCMS 3.5.0 is vulnerable to Server-Side Request Forgery SSRF in the custom module installation functionality. An authenticated administrator can supply a malicious URL via the pluginThemeUrl POST parameter. The server fetches the provided URL using curlexec without sufficient validation,...