CVE-2026-12635 Reliance on Reverse DNS Resolution for a Security-Critical Action in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to make requests to internal network resources through...

CVE-2026-20255

The CVE-2026-20255 issue affects Splunk Enterprise (versions below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, 9.3.2411.132). A low-privilege user can craft a malicious classic dashboard to exfiltrate sensitive data to an external ser...

CVE-2026-43884

WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints plugin/AI/receiveAsync.json.php and objects/EpgParser.php in AVideo call isSSRFSafeURL to validate user-supplied URLs, then fetch them using bare filegetcontents without disabling PHP's automatic...

MISP 安全漏洞

MISP is a set of open-source software solutions developed by MISP. This product is used for collecting, storing, distributing, and sharing network security metrics. It also includes features for analyzing threats to network security and malware analysis. MISP has a security vulnerability, which...

CVE-2026-9557

CVE-2026-9557 describes a Server-Side Request Forgery (SSRF) in Mautic’s Focus component. The root cause is insufficient validation of user-supplied URLs, allowing an authenticated user to cause the hosting server to perform outbound HTTP requests. This can enable internal network reconnaissance ...

CVE-2026-45061

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

CVE-2026-44335

CVE-2026-44335 concerns PraisonAI prior to 1.6.32 with an SSRF bypass in the URL validation logic. The vulnerability arises from a discrepancy between Python urlparse() parsing and the requests library when handling certain URLs (e.g., http://127.0.0.1:[email protected]). urlparse() may extract a publ...

PYSEC-2026-76

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's urltosize helper used by getnumtokensfrommessages for image token counting validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS...

CVE-2026-34590

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl format check, missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The updat...

CVE-2025-66608

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly validate URLs. An attacker could send specially crafted requests to steal files from the web server. The affected products and versions are as follows: FAST/TOOLS Packages: RVSVR...

CVE-2025-66608

FAST/TOOLS from Yokogawa Electric Corporation is affected by CVE-2025-66608 due to improper URL validation. The issue impacts FAST/TOOLS packages RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB, with affected version range R9.01 to R10.04. The vulnerability could allow an attacker to send specially cra...

CVE-2026-24772

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a share...

CVE-2026-24772

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a share...

GHSA-6JXM-FV7W-RW5J Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API

Server-Side Request Forgery SSRF via HTML Check CSS Download The HTML Check feature /api/v1/message/ID/html-check is designed to analyze HTML emails for compatibility. During this process, the inlineRemoteCSS function automatically downloads CSS files from external tags to inline them for testing...

Server-Side Request Forgery (SSRF)

Dragonfly is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of user-supplied URLs in the Manager API and peer communication, which allows an attacker to force internal components to send requests to arbitrary or internal services, potentially...

EUVD-2013-4225

Malware in sbrugna...

EUVD-2024-2965

Malicious code in bioql PyPI...

Server-Side Request Forgery (SSRF)

org.apache.eventmesh:eventmesh-runtime is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of user-supplied URLs due to unsafe handling in the eventmesh-runtime module WebhookUtil.java, allowing attackers to read or update internal resources...

Improper Validation of Specified Type of Input

Overview org.webjars.npm:validator is an A library of string validators and sanitizers. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the isURL function which does not take into account : as the delimiter in browsers. An attackers can bypass...

BIT-JOOMLA-2022-23798 [20220306] - Core - Inadequate validation of internal URLs

An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not...