Lucene search
K

37 matches found

ATTACKERKB
ATTACKERKB
added 2026/07/06 8:10 a.m.7 views

CVE-2026-49086

Improper Input Validation, Unintended Proxy or Intermediary 'Confused Deputy' vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer DaprPubSubConsumer copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the...

6AI score0.00426EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/07/02 7:47 p.m.10 views

EUVD-2026-33273

Mautic Focus component Vulnerable to SSRF...

6.4CVSS5.8AI score0.00138EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/26 7:26 a.m.6 views

EUVD-2026-39638

The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not sufficiently validate or restrict user-controlled input within these headers. This omission allows an attacker to manipulate WS-Addressing headers to specify arbitrary destinations for server-initiated...

8.3CVSS5.9AI score0.00222EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.27 views

PT-2026-52667

Name of the Vulnerable Software and Affected Versions WSO2 API Manager affected versions not specified Description The message flow component fails to sufficiently validate or restrict user-controlled input within WS-Addressing headers. This allows an unauthenticated attacker to manipulate these...

10CVSS5.9AI score0.00222EPSS
Exploits0References6
OSV
OSV
added 2026/06/12 3:4 p.m.9 views

GHSA-24FP-5V3P-RVPW Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection

Summary Authenticated chisel clients can bypass --authfile ACL restrictions and tunnel traffic to arbitrary destinations reachable from the server. The ACL is enforced only during the initial handshake against declared remotes, but never on subsequent SSH channels that carry actual traffic. A...

8.5CVSS5.6AI score0.00038EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.12 views

CVE-2026-5936

An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints e.g., cloud metadata services, or bypass...

9.8CVSS5.6AI score0.00195EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/14 7:58 p.m.13 views

CVE-2026-44258

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfindercheckRisk function validates target and targets for path traversal and home containment, but does not validate the dst destination parameter used by elfinderpaste. An attacker can copy or move files from within the home...

9.3CVSS5.9AI score0.0029EPSS
Exploits0References1
NVD
NVD
added 2026/04/13 7:16 a.m.10 views

CVE-2026-5936

An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints e.g., cloud metadata services, or bypass...

9.8CVSS0.00195EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/13 6:57 a.m.3 views

CVE-2026-5936

An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints e.g., cloud metadata services, or bypass...

8.5CVSS5.8AI score0.00195EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/13 6:57 a.m.15 views

CVE-2026-5936

The CVE-2026-5936 entries describe a Server-Side Request Forgery (SSRF) in the Foxit PDF Services API, where an attacker can craft a URL to cause the server to initiate requests to arbitrary destinations. Affected component: Foxit PDF Services API (server-side URL handling). Reported impact inclu...

9.8CVSS5.8AI score0.00195EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.12 views

PT-2026-32283

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior m...

9.8CVSS6.1AI score0.00195EPSS
Exploits0References7
OSV
OSV
added 2026/04/09 9:18 p.m.4 views

CVE-2026-40114 PraisonAI has Server-Side Request Forgery via Unvalidated webhook_url in Jobs API

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhookurl in the request body with no URL validation. When a submitted job completes success or failure, the server makes an HTTP POST request to this URL using httpx.AsyncClient. An...

7.2CVSS6.1AI score0.0028EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/09 5:41 p.m.1 views

CVE-2026-40072

web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup EIP-3668 by performing HTTP requests to URLs supplied by smart contracts in offchainlookuppayload"urls". The implementation uses these...

6.3CVSS6AI score0.00228EPSS
Exploits2References3Affected Software1
NVD
NVD
added 2026/04/01 11:15 a.m.7 views

CVE-2026-0932

Blind server-side request forgery SSRF vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs...

7.3CVSS0.00195EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/19 6:38 p.m.23 views

CVE-2026-27472 SPIP < 4.4.9 Blind Server-Side Request Forgery via Syndicated Sites

SPIP before 4.4.9 allows Blind Server-Side Request Forgery SSRF via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitra...

5.3CVSS0.00262EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.7 views

PT-2026-20845

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.4.9 Description SPIP before version 4.4.9 contains a Blind Server-Side Request Forgery SSRF issue related to syndicated sites within the private area. The application does not validate the syndication URL when editing ...

4.3CVSS5.5AI score
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/02/19 12:0 a.m.4 views

Linux Distros Unpatched Vulnerability : CVE-2026-27472

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SPIP before 4.4.9 allows Blind Server-Side Request Forgery SSRF via syndicated sites in the private area. When editing a syndicated site, the application does n...

5.3CVSS6AI score0.00262EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/12/24 12:0 a.m.9 views

PT-2025-53337

Name of the Vulnerable Software and Affected Versions Teradek VidiU Pro version 3.0.3 Description The software contains a server-side request forgery issue in the management interface. Attackers can manipulate GET parameters url and xml url to bypass firewalls, perform network enumeration, and...

6.9CVSS6.7AI score0.00301EPSS
Exploits2References5
RedhatCVE
RedhatCVE
added 2025/12/16 8:44 p.m.5 views

CVE-2023-53893

Ateme TITAN File 3.9.12.4 contains an authenticated server-side request forgery vulnerability in the job callback URL parameter that allows attackers to bypass network restrictions. Attackers can exploit the unvalidated parameter to initiate file, service, and network enumeration by forcing the...

6.5CVSS7AI score0.00246EPSS
Exploits1References1
NVD
NVD
added 2025/12/15 9:15 p.m.5 views

CVE-2023-53893

Ateme TITAN File 3.9.12.4 contains an authenticated server-side request forgery vulnerability in the job callback URL parameter that allows attackers to bypass network restrictions. Attackers can exploit the unvalidated parameter to initiate file, service, and network enumeration by forcing the...

6.5CVSS0.00246EPSS
Exploits1References4
Rows per page
Query Builder