PT-2026-23744

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

CVE-2026-28467 OpenClaw < 2026.2.2 - SSRF via Attachment Media URL Hydration

OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTPS URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can...

CVE-2026-28451 OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls...

GHSA-595M-WC8G-6QGC WeKnora is Vulnerable to SSRF via Redirection

Summary The application's "Import document via URL" feature is vulnerable to Server-Side Request Forgery SSRF through HTTP redirects. While the backend implements comprehensive URL validation blocking private IPs, loopback addresses, reserved hostnames, and cloud metadata endpoints, it fails to...

Plane has SSRF via Incomplete IP Validation in Webhook URL Serializer

Summary The webhook URL validation in plane/app/serializers/webhook.py only checks ip.isloopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses 10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.. When webhook events fire, the...

CVE-2026-28036

CVE-2026-28036 is a Server-Side Request Forgery (SSRF) vulnerability affecting the Ratatouille WordPress Theme (SkatDesign) version 1.2.6 and earlier. The connected Wordfence report documents it as an authenticated issue (Subscriber+), indicating exploitation would require valid credentials and a...

CVE-2026-28036 WordPress Ratatouille theme <= 1.2.6 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery SSRF vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through = 1.2.6...

GHSA-C7MQ-GH6Q-6Q7C opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass

A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler. The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In...

opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass

A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler. The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In...

OpenClaw 代码问题漏洞

OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.14 had code-related vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing vulnerability in the Feishu extension, which could allow attackers to obtain control of remote...

GHSA-4RQQ-W8V4-7P47 OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard

Summary isPrivateIpv4 in bundled SSRF guard code missed several IPv4 special-use/non-global ranges, so webfetch could allow targets that should be blocked by SSRF policy. Affected Packages / Versions - Package: openclaw npm - Latest published affected version: 2026.2.21-2 published 2026-02-21 -...

Server-side Request Forgery (SSRF)

Overview @openclaw/nostr is an OpenClaw Nostr channel plugin for NIP-04 encrypted DMs Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the URL ingestion process. An attacker can access internal or private network resources by crafting a URL containing an...

GHSA-8CP7-RP8R-MG77 OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP

Summary OpenClaw's SSRF hostname/IP guard did not detect ISATAP embedded IPv4 addresses ...:5efe:w.x.y.z. A crafted URL containing an ISATAP IPv6 literal could embed a private IPv4 target for example loopback and bypass private-address filtering in URL-fetching paths. Severity Assessment Rated...

CVE-2026-3125

CVE-2026-3125 affects the @opennextjs/cloudflare package and its /cdn-cgi/image/ handler. A path normalization bypass (using a backslash in the path, e.g., /cdn-cgi\image/…) can bypass Cloudflare edge interception, allowing requests to reach the Worker and trigger an unvalidated fetch of arbitrar...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the notifier functionality. An attacker can enumerate internal services by supplying arbitrary URLs, causing the application to send HTTP POST requests and observing UI behavior differences based on...

PT-2026-23032

Name of the Vulnerable Software and Affected Versions @opennextjs/cloudflare affected versions not specified Description A Server-Side Request Forgery SSRF issue exists in the @opennextjs/cloudflare package. This is due to a path normalization bypass in the /cdn-cgi/image/ handler. Specifically,...

PT-2026-23113

Name of the Vulnerable Software and Affected Versions Drupal OpenID Connect / OAuth client versions prior to 1.5.0 Description A Server-Side Request Forgery SSRF issue exists in the OpenID Connect / OAuth client module of Drupal. This flaw stems from insufficient validation of data received from...

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the writeUrlToFile function. An attacker can access internal network resources or perform unauthorized network requests by supplying crafted URLs in t...

OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists

Summary In OpenClaw MSTeams media download flows, redirect handling could bypass configured mediaAllowHosts checks in specific attachment paths. Redirect chains were not consistently constrained to allowlisted targets before accepting fetched content. Affected Packages / Versions - Package:...

Exploit for Server-Side Request Forgery in Rbaskets Request_Baskets

Sau Hack The Box – Sau Writeup Overview Sau is an...