CVE-2026-42346 Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validation paths

Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4–v2.21.6 share a fundamental TOCTOU Time-of-Check-Time-of-Use vulnerability: isSafePublicHttpsUrl resolves DNS to validate the target IP, but subsequent fetch calls...

CVE-2026-44335 SSRF bypass in PraisonAI

PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has been patched in version 1.6.32...

CVE-2025-10461

Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker filesystem modules allows file access. This issue affects smartLink SW-HT: through 1.42 smartLink SW-PN: through 1.03...

CVE-2025-10461

Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker filesystem modules allows file access. This issue affects smartLink SW-HT: through 1.42 smartLink SW-PN: through 1.03...

CVE-2026-28677 OpenSift: Insufficient URL destination restrictions in ingest flow could enable SSRF-style internal access

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote URLs with incomplete destination restrictions. Although private/local host checks existed, missing...

Incorrect Behavior Order

Overview ai is an AI SDK by Vercel - The AI Toolkit for TypeScript and JavaScript Affected versions of this package are vulnerable to Incorrect Behavior Order via the downloadAssets function. An attacker can upload files with disallowed types by substituting arbitrary downloaded bytes for differe...

EUVD-2021-0462

Malware in sbrugna...

Coverage REST API Server Side Request Forgery

Summary The Coverage rest api /workspaces/workspaceName/coveragestores/storeName/method.format allow to upload file with a specified url with method equals 'url' with no restrict. Details The Coverage rest api /workspaces/workspaceName/coveragestores/storeName/method.format allow to upload file...

GHSA-R4HF-R8GJ-JGW2 Coverage REST API Server Side Request Forgery

Summary The Coverage rest api /workspaces/workspaceName/coveragestores/storeName/method.format allow to upload file with a specified url with method equals 'url' with no restrict. Details The Coverage rest api /workspaces/workspaceName/coveragestores/storeName/method.format allow to upload file...

Server side request forgery (ssrf)

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an sld= parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles,...

GHSA-5PR3-M5HM-9956 WPS Server Side Request Forgery vulnerability

Summary The OGC Web Processing Service WPS specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. Details This vulnerability requires: The WPS extension to be installed The WPS security setting...

WPS Server Side Request Forgery vulnerability

Summary The OGC Web Processing Service WPS specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. Details This vulnerability requires: The WPS extension to be installed The WPS security setting...

GHSA-CQPC-X2C6-2GMF Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF

Summary The WMS specification defines an sld= parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. It is possibl...

Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF

Summary The WMS specification defines an sld= parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. It is possibl...

K20289222: Multiple PHP vulnerabilities

Security Advisory Description CVE-2016-10397 In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:[email protected]/ and...

Open Redirect

Description An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites. The bug exists due to improper fix of https://huntr.dev/bounties/bac0b763-730c-4c4b-8b20-eb4926928cf3/. By using double / it is possible to bypass the check for http at the beggining o...

crud-file-server node module path traversal vulnerability

The crud-file-server node module is a file server that supports create, read, update and delete functions. A path traversal vulnerability exists in the crud-file-server node module prior to version 0.9.0, which stems from the program's failure to properly verify the url, and can be exploited by a...

Infogram: Stored XSS in the Custom Logo link (non-Basic plan required)

Description Hello. Recently i contacted with Infogram, and requested trial of the Business version to test some features, which was unavailable in the Basic version. I discovered the stored cross-site scripting issue in the Custom Logo link. F232084 There was some URL checks in place, but i was...

CVE-2016-10397

Removed by vendor...

CVE-2016-10397

In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:[email protected]/ and evil.example.com:[email protected]/ inputs to the parseurl...