Lucene search
K

377 matches found

CNNVD
CNNVD
added 2026/04/22 12:0 a.m.11 views

Squidex 代码问题漏洞

Squidex is an open-source content management system developed by Squidex. Versions of Squidex prior to 7.23.0 had code vulnerabilities. These vulnerabilities were caused by a server-side request forgeing issue, allowing users with asset upload permissions to force the server to obtain arbitrary...

8.6CVSS6AI score0.00215EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.19 views

Squidex 代码问题漏洞

Squidex is an open-source content management system developed by Squidex. Versions of Squidex prior to 7.23.0 had code vulnerabilities. These vulnerabilities stemmed from the RestoreController.PostRestoreJob endpoint, which allowed administrators to download backup archives from arbitrary URLs,...

8.5CVSS6AI score0.00238EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.10 views

PT-2026-34611

Name of the Vulnerable Software and Affected Versions monetr versions prior to 1.12.5 Description A server-side request forgery SSRF issue in the Lunch Flow integration allows authenticated users on self-hosted instances to force the server to send HTTP GET requests to arbitrary URLs. The respons...

8.3CVSS5.9AI score0.00331EPSS
Exploits0References10
EUVD
EUVD
added 2026/04/20 4:4 p.m.5 views

EUVD-2026-23893

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...

5.8CVSS5.9AI score0.00203EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/20 12:0 a.m.11 views

PT-2026-33790

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...

5.8CVSS5.9AI score0.00203EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/15 10:30 p.m.6 views

Server-side Request Forgery (SSRF)

Overview processwire/processwire is a CMS/CMF. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the Add Module From URL process. An attacker can access internal network resources and sensitive endpoints by supplying arbitrary URLs to the module download...

6.8CVSS5.9AI score0.00385EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 8:6 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the APICall feature. An attacker can access sensitive internal resources and exfiltrate confidential data by supplying arbitrary URLs to the APICall feature, which are executed with elevated privilege...

7.7CVSS5.9AI score
Exploits0References2
OSV
OSV
added 2026/04/10 9:31 p.m.8 views

GHSA-V8F7-CG9P-W5JX Duplicate Advisory: GeoNode contains a server-side request forgery vulnerability in the service registration endpoint

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hw9r-6m78-w6h3. This link is maintained to preserve external references. Original Description GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability in the...

6.3CVSS5.5AI score0.00172EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/10 8:34 p.m.5 views

CVE-2026-40242

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation...

7.2CVSS5.8AI score0.00621EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2026/04/10 8:16 p.m.23 views

PYSEC-2026-61

GeoNode versions 4.4.5 and 5.0.2 and prior within their respective releases contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL durin...

6.3CVSS5.9AI score0.00172EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/04/10 8:16 p.m.15 views

CVE-2026-39922

GeoNode versions 4.4.5 and 5.0.2 and prior within their respective releases contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL durin...

6.3CVSS0.00172EPSS
Exploits0References2
NVD
NVD
added 2026/04/10 8:16 p.m.4 views

CVE-2026-30232

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any I...

9.6CVSS0.00242EPSS
Exploits0References2
CVE
CVE
added 2026/04/10 7:53 p.m.19 views

CVE-2026-39922

CVE-2026-39922 affects GeoNode 4.x (pre-4.4.5) and 5.x (pre-5.0.2). The issue is a server-side request forgery in the service registration endpoint, allowing authenticated attackers to submit crafted service URLs to trigger outbound requests to arbitrary URLs via the WMS service handler, bypassin...

6.3CVSS5.5AI score0.00172EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/10 7:22 p.m.4 views

CVE-2026-39985

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS,...

6.1CVSS5.9AI score0.00204EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/10 7:15 p.m.4 views

CVE-2026-30232 Chartbrew has SSRF in API Data Connection - No IP Validation on User-Provided URLs

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any I...

7.8CVSS5.9AI score0.00242EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/10 7:15 p.m.3 views

CVE-2026-30232

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any I...

7.8CVSS5.9AI score0.00242EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/10 7:15 p.m.17 views

CVE-2026-30232

Chartbrew prior to version 4.8.5 is affected by a Server-Side Request Forgery (SSRF) vulnerability in API data connections. Authenticated users can specify arbitrary URLs and the server fetches them via request-promise without IP address validation, enabling access to internal networks and cloud ...

9.6CVSS5.9AI score0.00242EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/10 5:0 p.m.14 views

CVE-2026-22560

CVE-2026-22560 is an open redirect vulnerability affecting Rocket.Chat prior to 8.4.0. The issue arises from manipulating parameters in the SAML endpoint to redirect users to arbitrary URLs, notably via the /_saml/sloRedirect/:provider flow where the redirect URL is placed directly in a Location ...

5.3CVSS5.9AI score0.00322EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.8 views

chartbrew 代码问题漏洞

Chartbrew is an open-source data visualization and dashboard-building tool developed by Chartbrew. Versions of Chartbrew prior to 4.8.5 contained code vulnerabilities. These vulnerabilities stemmed from the use of the request-promise library on servers to retrieve arbitrary URLs without IP addres...

9.6CVSS6AI score0.00242EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.4 views

PT-2026-32034

Name of the Vulnerable Software and Affected Versions GeoNode versions 4.0 through 4.4.5 and 5.0 through 5.0.2 Description GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 are affected by a server-side request forgery issue in the service registration endpoint. Authenticated attackers can...

6.3CVSS5.6AI score0.00172EPSS
Exploits0References13
Rows per page
Query Builder