381 matches found
OpenClaw affected by SSRF via attachment/media URL hydration
Summary Versions of the openclaw npm package prior to 2026.2.2 could be coerced into fetching arbitrary https URLs during attachment/media hydration. An attacker who can influence the media URL for example via model-controlled sendAttachment or auto-reply media URLs could trigger SSRF to internal...
EUVD-2026-5564
Homarr is an open-source dashboard. Prior to 1.52.0, a public unauthenticated tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF...
PT-2026-6801
Name of the Vulnerable Software and Affected Versions Homarr versions prior to 1.52.0 Description Homarr is an open-source dashboard susceptible to Server-Side Request Forgery SSRF. A public, unauthenticated tRPC endpoint, widget.app.ping, accepts an arbitrary URL and makes a server-side request ...
SAMSUNG Members 安全漏洞
Samsung Members is a community platform app developed by South Korea’s Samsung Corporation. Versions of Samsung Members prior to 5.6.00.11 contained security vulnerabilities. These vulnerabilities stemmed from improper input validation, potentially allowing remote attackers to connect to arbitrar...
Chainlit contain a server-side request forgery (SSRF) vulnerability
Chainlit versions prior to 2.9.4 contain a server-side request forgery SSRF vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy...
CVE-2026-22219 Chainlit < 2.9.4 SQLAlchemy Data Layer SSRF via /project/element
Chainlit versions prior to 2.9.4 contain a server-side request forgery SSRF vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy...
PT-2026-3516
Name of the Vulnerable Software and Affected Versions Chainlit versions prior to 2.9.4 Description Chainlit versions prior to 2.9.4 contain a server-side request forgery SSRF vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated...
CVE-2026-23768
lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension...
CVE-2026-23768
lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension...
CVE-2026-23768
CVE-2026-23768 concerns the Lucy-XSS-Filter project. The vulnerability exists in the code path prior to commit 7c1de6d and allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener options are enabled and an embed or object t...
CVE-2026-23768
lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension...
CVE-2025-59021
Backend users with access to the redirects module and write permission on the sysredirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs...
CVE-2025-59021 TYPO3 CMS Allows Broken Access Control in Redirects Module
Backend users with access to the redirects module and write permission on the sysredirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs...
TYPO3 CMS 安全漏洞
TYPO3 CMS is a content management system from TYPO3 open source. A security vulnerability exists in TYPO3 CMS that originates from a back-end user with access to the redirection module being able to read, create, and modify any redirection record without restriction, which could result in the...
GHSA-X27P-WFQW-HFCC Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
The Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by...
Server-Side Request Forgery (SSRF)
@lobehub/chat is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation and restriction of user-supplied URLs in the tools.search.crawlPages tRPC endpoint, which allows an attacker with a valid token to supply arbitrary URLs and force the server to mak...
CVE-2025-14896
due to insufficient sanitazation in Vega’s convert function when safeMode is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitiv...
EUVD-2025-201264
Open WebUI vulnerable to Server-Side Request Forgery SSRF via Arbitrary URL Processing in /api/v1/retrieval/process/web...
CVE-2025-65958
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery SSRF vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to...
CVE-2025-65958
Open WebUI (self-hosted offline AI platform) is affected by a Server-Side Request Forgery (SSRF) in the /api/v1/retrieval/process/web endpoint. The vulnerability allows any authenticated user to force the server to fetch arbitrary URLs, enabling access to internal/cloud metadata endpoints (e.g., ...