Lucene search
+L

9786 matches found

nvd
nvd
added 2026/03/03 11:15 p.m.13 views

CVE-2026-27600

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although...

5CVSS0.00187EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/03/03 10:23 p.m.4 views

CVE-2026-27600

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although...

5CVSS6.1AI score0.00187EPSS
Exploits0References2Affected Software1
cve
cve
added 2026/03/03 10:23 p.m.23 views

CVE-2026-27600

CVE-2026-27600 : In HomeBox, prior to version 0.24.0-rc.1, the notifier allows authenticated users to specify arbitrary URLs for HTTP POST requests without validating host/IP/port. This can yield a behavioral side-channel that enables internal service enumeration, as the UI behavior varies with t...

5CVSS6.1AI score0.00187EPSS
Exploits0References1Affected Software1
euvd
euvd
added 2026/03/03 10:23 p.m.13 views

EUVD-2026-9335

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although...

5CVSS6.1AI score0.00187EPSS
Exploits0References1
osv
osv
added 2026/03/03 10:23 p.m.7 views

CVE-2026-27600 HomeBox affected by Blind SSRF

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although...

5CVSS6AI score0.00187EPSS
Exploits0References3
osv
osv
added 2026/03/01 1:30 a.m.6 views

GHSA-CWPP-325Q-2CVP Statamic Vulnerable to Server-Side Request Forgery via Glide

Impact When Glide image manipulation is used in insecure mode which is not the default, the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal...

6.8CVSS5.9AI score0.00378EPSS
Exploits0References5
redos
redos
added 2026/02/24 12:0 a.m.7 views

ROS-20260224-73-0019

Vulnerability in moodle related to url redirection to untrusted site. Exploitation of the vulnerability could allow an attacker acting remotely to redirect a user to an arbitrary url address...

6.1CVSS5.7AI score0.00226EPSS
Exploits0
redhatcve
redhatcve
added 2026/02/20 7:22 a.m.12 views

CVE-2025-12375

The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the downloadur...

6.4CVSS5.7AI score0.00266EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/02/13 12:0 a.m.5 views

CVE-2025-70094

A cross-site scripting XSS vulnerability in the Generate Item Barcode function of OpenSourcePOS v3.4.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Item Category parameter...

5.5AI score0.00162EPSS
Exploits1References3
cve
cve
added 2026/02/06 9:19 p.m.17 views

CVE-2026-25123

Homarr (open-source dashboard) prior to version 1.52.0 contains an unauthenticated tRPC endpoint widget.app.ping that accepts an arbitrary URL and performs a server-side request. This enables SSRF from the Homarr server and can be used as a port-scanning primitive (open vs closed ports inferred f...

5.3CVSS5.7AI score0.00264EPSS
Exploits0References1Affected Software1
cnnvd
cnnvd
added 2026/02/06 12:0 a.m.9 views

homarr 代码问题漏洞

Homarr is a customizable browser homepage developed by Thomas Camlong, used to interact with the Docker container of the main server. Versions of Homarr prior to 1.52.0 contained code vulnerabilities. These vulnerabilities stemmed from unvalidated tRPC endpoints that accepted arbitrary URLs and...

5.3CVSS6AI score0.00264EPSS
Exploits0References2
packetstormnews
packetstormnews
added 2026/02/02 12:0 a.m.10 views

miniBB 3.1 Cross Site Scripting

A cross site scripting vulnerability exists in miniBB Forum version 3.1. The vulnerability allows remote attackers to inject arbitrary web script or HTML. This issue is older research added to the archive...

5.2AI score
Exploits0
packetstormnews
packetstormnews
added 2026/02/02 12:0 a.m.8 views

FreshRSS 1.11.1 Cross Site Scripting

Multiple cross site scripting vulnerabilities exist in FreshRSS version 1.11.1. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML. This issue is older research added to the archive...

5.2AI score
Exploits0
redos
redos
added 2026/01/29 12:0 a.m.5 views

ROS-20260129-73-0066

Vulnerability in curl related to url redirection to an untrusted site. Exploitation of the vulnerability could allow an attacker acting remotely to redirect a user to an arbitrary url address...

5.3CVSS6AI score0.00611EPSS
Exploits1
nvd
nvd
added 2026/01/24 8:16 a.m.8 views

CVE-2026-0807

The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'templateproxy' function. This makes it possible for unauthenticated attackers to make web reques...

7.2CVSS0.00324EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/01/17 12:0 a.m.15 views

PT-2026-3344

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, t...

2.2CVSS5.8AI score0.00245EPSS
Exploits0References7
attackerkb
attackerkb
added 2026/01/16 6:43 a.m.3 views

CVE-2025-14793

The DK PDF – WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary...

5CVSS5.5AI score0.00242EPSS
Exploits0References6
attackerkb
attackerkb
added 2026/01/16 5:20 a.m.5 views

CVE-2026-23768

lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension...

6.1CVSS5.7AI score0.00216EPSS
Exploits1References3
redhatcve
redhatcve
added 2026/01/09 12:40 p.m.12 views

CVE-2023-43376

A cross-site scripting XSS vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter...

5.4CVSS5.7AI score0.00423EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/01/09 12:39 p.m.11 views

CVE-2023-29636

Cross site scripting XSS vulnerability in ZHENFENG13 My-Blog, allows attackers to inject arbitrary web script or HTML via the "title" field in the "blog management" page due to the the default configuration not using MyBlogUtils.cleanString...

5.4CVSS5.7AI score0.00414EPSS
Exploits1References1
Rows per page
Query Builder