CVE-2026-54157

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make...

CVE-2026-2264

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery SSRF and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API...

CVE-2026-2264 Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy.

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery SSRF and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API...

EUVD-2026-31865

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery SSRF and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API...

Portainer missing authorization on Docker plugin endpoints, which allows host RCE

Summary Portainer enforces Role-Based Access Control RBAC on top of the Docker API. The proxy layer routes incoming Docker API requests to per-resource handlers containers, images, services, volumes, etc. that apply authorization checks. The Docker plugin management endpoints /plugins/ were not...

RHCOS 3 : Red Hat OpenShift Enterprise 3.2 (RHSA-2016:1094)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:1094 advisory. - 3: Untrusted content loaded via the API proxy can access web console credentials on the same domain CVE-2016-3703 - 3: s2i builds...

RHCOS 3 : Red Hat OpenShift Enterprise 3.1 (RHSA-2016:1095)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2016:1095 advisory. - 3: Untrusted content loaded via the API proxy can access web console credentials on the same domain CVE-2016-3703 Note that Nessus has not...

Copilot API Proxy 安全漏洞

Copilot API Proxy is a reverse proxy service for the GitHub Copilot API developed by Erick Christian. Versions of Copilot API Proxy prior to 0.7.0 contain security vulnerabilities. These vulnerabilities stem from the Header Handler component’s reliance on reverse DNS resolution for handling Host...

Copilot API Proxy 安全漏洞

Copilot API Proxy is a reverse proxy service for the GitHub Copilot API developed by Erick Christian. Versions of Copilot API Proxy prior to 0.7.0 contain security vulnerabilities. These vulnerabilities stem from a flaw in the cors function within the file/src/server.ts file of the component’s...

EUVD-2026-20625

A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request...

CVE-2026-5803 bigsk1 openai-realtime-ui API Proxy Endpoint server.js server-side request forgery

A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request...

CVE-2026-5803

The CVE-2026-5803 entry concerns bigsk1/openai-realtime-ui (up to commit 188ccde27fdf3d8fab8da81f3893468f53b2797c) with a vulnerability in the API Proxy Endpoint’s server.js that enables server-side request forgery through a manipulated Query argument. It is described as remotely exploitable, and...

CVE-2026-35179

CVE-2026-35179 affects WWBN AVideo prior to 29.0 via the SocialMediaPublisher plugin. The endpoint publishInstagram.json.php is exposed as an unauthenticated proxy to the Facebook/Instagram Graph API and accepts user-controlled parameters (accessToken, containerId, instagramAccountId). It passes ...

Missing Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization via the publishInstagram.json.php endpoint, which acts as a proxy to the Instagram Graph API without enforcing authorization checks. An...

CVE-2026-34076 Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...

GHSA-GJXX-92W9-8V8F Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Summary The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery SSRF. An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. Affected packages Only applicatio...

Server-side Request Forgery (SSRF)

Overview @clerk/backend is a Clerk Backend SDK - REST Client for Backend API & JWT verification utilities Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the clerkFrontendApiProxy function. An attacker can obtain secret keys by crafting a request path that...

PT-2026-28602

Summary The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery SSRF. An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. Affected packages Only applicatio...

CVE-2026-33340

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...

CVE-2026-33340 LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...