Lucene search
+L

1471 matches found

ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-15093

IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to redirect users to malicious websites due to improper validation of user-supplied URLs...

4.3CVSS4.9AI score
Exploits0References2Affected Software1
CVE
CVE
added yesterday10 views

CVE-2026-15093

CVE-2026-15093 affects IBM Engineering AI Hub versions 1.0.0, 1.1.0 and 1.2.0. Affected component: handling/validation of user-supplied URLs, enabling a remote attacker to redirect users to malicious websites due to improper URL validation. The IBM Security Bulletin consolidates multiple vulnerab...

4.3CVSS4.9AI score
Exploits0References1
Nuclei
Nuclei
added yesterday16 views

WSO2 - Server Side Request Forgery

WSO2 products contain SSRF and reflected XSS vulnerabilities in the deprecated Try-It feature accessible only to administrative users, caused by improper URL validation and direct content reflection, letting attackers trick admins into executing arbitrary JavaScript and querying internal services...

5.9CVSS5.3AI score0.00583EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-62214

OpenClaw versions before 2026.5.28 Bot Framework contains an improper input validation vulnerability that allows lower-trust callers to expose bot tokens and credentials by failing to properly validate serviceUrl parameters. Attackers can supply malicious serviceUrl values through configured inpu...

6.5CVSS6.1AI score0.00308EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2 days ago5 views

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

7.5CVSS7.1AI score0.00728EPSS
Exploits0References8
NVD
NVD
added 2 days ago10 views

CVE-2026-15099

The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrapdirectiontext function, which interpolates the...

6.4CVSS0.00193EPSS
Exploits0References5
NVD
NVD
added 3 days ago8 views

CVE-2026-53446

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan webhook integration URLs in models/integrations.js are stored from user input and later fetched by server/notifications/outgoing.js without applying the existing validateAttachmentUrl private-network checks from...

6.2CVSS0.00286EPSS
Exploits0References3
NVD
NVD
added 3 days ago7 views

CVE-2026-45738

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to 3.2.12, 3.3.10, and 3.4.2, Argo CD users with application write access can set link.argocd.argoproj.io/ annotations whose pipe-separated values are rendered by...

7.3CVSS0.00312EPSS
Exploits0References7
EUVD
EUVD
added 4 days ago11 views

EUVD-2026-36132

Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges...

8.6CVSS6.1AI score0.00269EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-57904

Name of the Vulnerable Software and Affected Versions CrewAI versions prior to 1.15.1 Description A server-side request forgery SSRF issue exists in the validate url function. The function performs one-shot DNS resolution and blocklist checks but returns the original URL unchanged. This allows...

8.3CVSS6.1AI score0.00287EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.7 views

PT-2026-56579

Name of the Vulnerable Software and Affected Versions Plate versions 53.0.0 through 53.1.3 Description The media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation. This allows a crafted document to specify a known video...

8.7CVSS6.1AI score0.00241EPSS
Exploits0References8
NVD
NVD
added 2026/07/07 9:17 p.m.7 views

CVE-2026-53751

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the H2 database JDBC URL validation logic can be bypassed with special Unicode characters whose case-conversion behavior differs between DataEase validation and H2 parsing, allowing attackers to smuggle dangerous...

8.7CVSS0.00375EPSS
Exploits0References3
CVE
CVE
added 2026/07/07 8:31 p.m.23 views

CVE-2026-53751

CVE-2026-53751 affects DataEase prior to 2.10.24. The vulnerability arises from the H2 database JDBC URL validation being bypassable by Unicode characters whose case-conversion behavior differs between DataEase’s validation and H2 parsing, enabling an attacker to smuggle dangerous parameters (e.g...

8.7CVSS6.2AI score0.00375EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/07 8:31 p.m.7 views

CVE-2026-53751

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the H2 database JDBC URL validation logic can be bypassed with special Unicode characters whose case-conversion behavior differs between DataEase validation and H2 parsing, allowing attackers to smuggle dangerous...

8.7CVSS6.2AI score0.00375EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/07/07 1:1 p.m.6 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...

7.7CVSS6AI score0.00442EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...

7.7CVSS6AI score0.00442EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.7 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...

7.7CVSS6AI score0.00442EPSS
Exploits0References2
OSV
OSV
added 2026/07/06 8:16 p.m.5 views

DEBIAN-CVE-2026-50134

Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server or an attacker controlling its DNS or response could therefore redirect t...

5.8CVSS5.9AI score0.00249EPSS
Exploits0References1
OSV
OSV
added 2026/07/01 1:18 p.m.4 views

CVE-2026-13603 SSRF with API key leak in pretix-oppwa

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to o...

10CVSS6AI score0.00253EPSS
Exploits0References5
CVE
CVE
added 2026/07/01 1:18 p.m.19 views

CVE-2026-13603

CVE-2026-13603 affects the pretix-oppwa payment integration. The vulnerability arises from insecure handling of Oppwa’s API URL: the code concatenated resourcePath from the return URL to baseUrl without validation and without a trailing slash, enabling an attacker to redirect the API call to a di...

10CVSS5.8AI score0.00253EPSS
Exploits0References1
Rows per page
Query Builder