CVE-2026-57304

A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password...

CVE-2026-57304

CVE-2026-57304 affects the Jenkins Assembla Plugin (versions ≤ 1.4). The root cause is a missing permission check, allowing attackers who have Overall/Read permission to instruct the plugin to connect to an attacker-specified URL using attacker-specified credentials. The description in connected ...

CVE-2026-7165 Multiple vulnerabilities in the Assassin game by Gaudire

The vulnerability is present in the ‘/addJugador’ endpoint: The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their...

PT-2026-50480

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description An issue exists where the process picture url function in backend/open webui/utils/oauth.py performs URL validation only on the initial URL. Subsequently, it uses aiohttp.ClientSession.get without...

CVE-2026-45191

Net::CIDR::Lite (Perl) is affected in versions before 0.24. The flaw is in CIDR mask handling: extraneous zero characters in masks are not properly validated, causing /00 and /01 (and other zero-padded forms) to pass validation and be parsed to the same prefix as the unpadded value, potentially a...

CVE-2026-42339

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 CVE-2025-59146 and hardened in v0.9.6 CVE-2025-62155 does not block the unspecified address 0.0.0.0. A regular...

CVE-2026-40280

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression ^https?:// to match URL schemes. Because Go's net/url.Parse normalizes...

Twenty 代码问题漏洞

Twenty is an open-source CRM platform developed by Twenty. Versions of Twenty 1.18.0 and earlier have code vulnerabilities. These vulnerabilities stem from a flaw in the SSRF protection mechanism, which can be bypassed by IPv6 addresses mapped via IPv4. The Node.js URL parser standardizes IPv6...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fixed an issue where invalid address access occurred when enabling the SCAN log level. The variable i is changed when setting a random MAC address, causing invalid address access when printing the value of...

Astra Linux – Vulnerability in Nasm

There is an illegal address access in asm/preproc.c function: ismmacro within Netwide Assembler NASM 2.14rc16. This issue may lead to a denial of service due to out-of-bounds array access, as a certain conversion can result in a negative integer...

CVE-2026-41361

OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013675)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013675 advisory. In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix invalid address access when enabling SCAN log level The variable i is changed...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013522)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013522 advisory. In the Linux kernel, the following vulnerability has been resolved: scsi: iscsitcp: Fix UAF during logout when accessing the shost ipaddress Bug report and analysis...

GHSA-9HRV-GVRV-6GF2 Flowise Execute Flow function has an SSRF vulnerability

Summary The attacker provides an intranet address through the base url field configured in the Execute Flow node → Bypass checkDenyList / resolveAndValidate in httpSecurity.ts not called → Causes the server to initiate an HTTP request to any internal network address, read cloud metadata, or detec...

DEBIAN-CVE-2026-5713

The "profiling.sampling" module Python 3.15+ and "asyncio introspection capabilities" 3.14+, "python -m asyncio ps" and "python -m asyncio pstree" features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via t...

CVE-2026-5713

The "profiling.sampling" module Python 3.15+ and "asyncio introspection capabilities" 3.14+, "python -m asyncio ps" and "python -m asyncio pstree" features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via t...

CVE-2026-34225 Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.7.2 and below contain a Blind Server Side Request Forgery in the functionality that allows editing an image via a prompt. The affected function performs a GET request to a user-provided U...

PT-2026-32696

Name of the Vulnerable Software and Affected Versions CPython versions 3.14 and later Description The profiling.sampling module and asyncio introspection capabilities, specifically the 'python -m asyncio ps' and 'python -m asyncio pstree' commands, allow for out-of-bounds read and write operation...

CVE-2025-64427

ZimaOS (a CasaOS fork for Zima devices and x86-64 with UEFI) is vulnerable to Server-Side Request Forgery (SSRF) in version 1.5.0 and earlier. An authenticated local user can craft requests to internal targets (127.0.0.1, localhost, private ranges) due to insufficient URL validation/restriction, ...

Linux Distros Unpatched Vulnerability : CVE-2021-4456

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions addr2cidr and cidrlookup...