377 matches found
Squidex 代码问题漏洞
Squidex is an open-source content management system developed by Squidex. Versions of Squidex prior to 7.23.0 had code vulnerabilities. These vulnerabilities were caused by a server-side request forgeing issue, allowing users with asset upload permissions to force the server to obtain arbitrary...
Squidex 代码问题漏洞
Squidex is an open-source content management system developed by Squidex. Versions of Squidex prior to 7.23.0 had code vulnerabilities. These vulnerabilities stemmed from the RestoreController.PostRestoreJob endpoint, which allowed administrators to download backup archives from arbitrary URLs,...
PT-2026-34611
Name of the Vulnerable Software and Affected Versions monetr versions prior to 1.12.5 Description A server-side request forgery SSRF issue in the Lunch Flow integration allows authenticated users on self-hosted instances to force the server to send HTTP GET requests to arbitrary URLs. The respons...
EUVD-2026-23893
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...
PT-2026-33790
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...
Server-side Request Forgery (SSRF)
Overview processwire/processwire is a CMS/CMF. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the Add Module From URL process. An attacker can access internal network resources and sensitive endpoints by supplying arbitrary URLs to the module download...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the APICall feature. An attacker can access sensitive internal resources and exfiltrate confidential data by supplying arbitrary URLs to the APICall feature, which are executed with elevated privilege...
GHSA-V8F7-CG9P-W5JX Duplicate Advisory: GeoNode contains a server-side request forgery vulnerability in the service registration endpoint
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hw9r-6m78-w6h3. This link is maintained to preserve external references. Original Description GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability in the...
CVE-2026-40242
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation...
PYSEC-2026-61
GeoNode versions 4.4.5 and 5.0.2 and prior within their respective releases contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL durin...
CVE-2026-39922
GeoNode versions 4.4.5 and 5.0.2 and prior within their respective releases contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL durin...
CVE-2026-30232
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any I...
CVE-2026-39922
CVE-2026-39922 affects GeoNode 4.x (pre-4.4.5) and 5.x (pre-5.0.2). The issue is a server-side request forgery in the service registration endpoint, allowing authenticated attackers to submit crafted service URLs to trigger outbound requests to arbitrary URLs via the WMS service handler, bypassin...
CVE-2026-39985
LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS,...
CVE-2026-30232 Chartbrew has SSRF in API Data Connection - No IP Validation on User-Provided URLs
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any I...
CVE-2026-30232
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any I...
CVE-2026-30232
Chartbrew prior to version 4.8.5 is affected by a Server-Side Request Forgery (SSRF) vulnerability in API data connections. Authenticated users can specify arbitrary URLs and the server fetches them via request-promise without IP address validation, enabling access to internal networks and cloud ...
CVE-2026-22560
CVE-2026-22560 is an open redirect vulnerability affecting Rocket.Chat prior to 8.4.0. The issue arises from manipulating parameters in the SAML endpoint to redirect users to arbitrary URLs, notably via the /_saml/sloRedirect/:provider flow where the redirect URL is placed directly in a Location ...
chartbrew 代码问题漏洞
Chartbrew is an open-source data visualization and dashboard-building tool developed by Chartbrew. Versions of Chartbrew prior to 4.8.5 contained code vulnerabilities. These vulnerabilities stemmed from the use of the request-promise library on servers to retrieve arbitrary URLs without IP addres...
PT-2026-32034
Name of the Vulnerable Software and Affected Versions GeoNode versions 4.0 through 4.4.5 and 5.0 through 5.0.2 Description GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 are affected by a server-side request forgery issue in the service registration endpoint. Authenticated attackers can...