Lucene search
K

9242 matches found

RedhatCVE
RedhatCVE
added 2026/01/07 9:12 a.m.15 views

CVE-2024-2343

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.11.6 via the formtourlaction function. This makes it possible for authenticated attackers, with contributor-level access and above, to...

6.4CVSS6.5AI score0.00517EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:11 a.m.14 views

CVE-2025-1912

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validatefile Function. This makes it possible for authenticated attackers, with Administrator-level...

7.6CVSS6.8AI score0.00353EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:11 a.m.22 views

CVE-2025-1970

The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validatefile function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web request...

7.6CVSS6.8AI score0.00386EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:11 a.m.16 views

CVE-2025-1781

There is a XXE in W3CSS Validator versions before cssval-20250226 that allows an attacker to use specially-crafted XML objects to coerce server-side request forgery SSRF. This could be exploited to read arbitrary local files if an attacker has access to exception messages...

8.4CVSS7AI score0.00363EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:9 a.m.6 views

CVE-2024-2663

The ZD YouTube FLV Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.6 via the $GET'image' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web...

8.3CVSS6.8AI score0.00436EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/01/06 5:44 p.m.11 views

Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability

Summary A Server-Side Request Forgery SSRF vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources. Description The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it doe...

5.8CVSS6.9AI score0.00755EPSS
Exploits2References5Affected Software1
Patchstack
Patchstack
added 2026/01/06 9:45 a.m.9 views

WordPress Xagio SEO plugin <= 7.1.0.30 - Authenticated (Subscriber+) Server-Side Request Forgery vulnerability

Authenticated Subscriber+ Server-Side Request Forgery vulnerability discovered by Jack Taylor in WordPress Plugin Xagio SEO versions = 7.1.0.30...

6.4CVSS6.8AI score0.00197EPSS
Exploits0References1Affected Software1
SUSE CVE
SUSE CVE
added 2026/01/06 12:24 a.m.2 views

SUSE CVE-2025-67494

ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI V2 treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This...

9.3CVSS7.1AI score0.00452EPSS
Exploits2References2
Positive Technologies
Positive Technologies
added 2026/01/06 12:0 a.m.6 views

PT-2026-1411

Name of the Vulnerable Software and Affected Versions Xagio SEO – AI Powered SEO plugin for WordPress versions through 7.1.0.30 Description The Xagio SEO – AI Powered SEO plugin for WordPress is susceptible to a Server-Side Request Forgery issue. This allows authenticated attackers with...

6.4CVSS6.2AI score0.00197EPSS
Exploits0References10
Snyk
Snyk
added 2026/01/05 10:55 p.m.3 views

Server-side Request Forgery (SSRF)

Overview io.spinnaker.orca:orca-clouddriver is a Spinnaker Orca Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper restrictions on user-supplied URLs when fetching data. An attacker can access internal resources, extract sensitive authentication data...

8.8CVSS6.9AI score0.00155EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/01/05 10:55 p.m.12 views

Spinnaker vulnerable to SSRF due to improper restrictions on http from user input

Impact The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into Spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This ALSO includes calling INTERNAL Spinnaker API's via a get and similar endpoints...

7.9CVSS6.9AI score0.00155EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/01/05 10:55 p.m.4 views

EUVD-2025-206237

Spinnaker vulnerable to SSRF due to improper restrictions on http from user input...

7.9CVSS6.3AI score0.00155EPSS
Exploits0References2
NVD
NVD
added 2026/01/05 10:15 p.m.4 views

CVE-2025-61916

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into spinnaker pipelines vi...

7.9CVSS0.00155EPSS
Exploits0References1
CVE
CVE
added 2026/01/05 9:52 p.m.16 views

CVE-2025-68437

CVE-2025-68437 affects Craft CMS via SSRF in the GraphQL mutation save__Asset , caused by insufficient validation of the _file.url parameter. Affected versions are 5.0.0-RC1–5.8.20 and 4.0.0-RC1–4.16.16 . An attacker with asset-management permissions can supply a URL pointing to internal IPs or c...

6.8CVSS6.8AI score0.00427EPSS
Exploits1References3Affected Software1
Snyk
Snyk
added 2026/01/05 9:30 p.m.2 views

Server-side Request Forgery (SSRF)

Overview @evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the GET /images API endpoint. An attacker can cause the server to...

6.9CVSS7AI score0.00175EPSS
Exploits0References2
OSV
OSV
added 2026/01/05 6:2 p.m.3 views

GHSA-X27P-WFQW-HFCC Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

The Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by...

5.9CVSS7.3AI score0.00446EPSS
Exploits3References5
Positive Technologies
Positive Technologies
added 2026/01/05 12:0 a.m.7 views

PT-2026-1344

Name of the Vulnerable Software and Affected Versions Craft versions 5.0.0-RC1 through 5.8.20 Craft versions 4.0.0-RC1 through 4.16.16 Description Craft is a platform for creating digital experiences. The GraphQL save Asset mutation is susceptible to Server-Side Request Forgery SSRF. The issue...

6.8CVSS6.9AI score0.00427EPSS
Exploits1References14
Positive Technologies
Positive Technologies
added 2026/01/02 12:0 a.m.5 views

PT-2026-1120

Name of the Vulnerable Software and Affected Versions Emlog versions up to and including 2.5.19 Description Emlog is vulnerable to server-side Out-of-Band OOB requests and Server-Side Request Forgery SSRF through the handling of uploaded SVG files. An attacker can upload a specially crafted SVG...

7.7CVSS6.5AI score0.00274EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/01/02 12:0 a.m.6 views

emlog 代码问题漏洞

emlog is emlog open source PHP and MySQL based on a set of CMS site building system . A code issue vulnerability exists in Emlog 2.5.19 and prior versions, which stems from an out-of-band server-side request or a server-side request forgery by uploading an SVG file that could lead to probing the...

7.7CVSS6.8AI score0.00274EPSS
Exploits1References2
NVD
NVD
added 2026/01/01 6:15 p.m.7 views

CVE-2026-21428

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the writeheaders function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add...

8.7CVSS0.00372EPSS
Exploits1References3
Rows per page
Query Builder