CVE-2026-35527

Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The imgPostURLInfo function...

PT-2026-37097

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0 Description An authenticated user can cause the daemon to make blind outbound HEAD requests to arbitrary destinations. This occurs because the image import flow issues a request to a user-supplied URL via the...

EUVD-2026-22188

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.7.2 and below contain a Blind Server Side Request Forgery in the functionality that allows editing an image via a prompt. The affected function performs a GET request to a user-provided U...

EUVD-2026-11599

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration allowAbsoluteUrls: true...

CVE-2025-50199 Chamilo: Blind Server-Side Request Forgery (Unauth Blind SSRF)

Chamilo is a learning management system. Prior to version 1.11.30, there is a blind SSRF vulnerability in /index.php via the POST openidurl parameter. This issue has been patched in version 1.11.30...

CVE-2025-8055

Server-Side Request Forgery SSRF vulnerability in OpenText™ XM Fax allows Server Side Request Forgery. The vulnerability could allow an attacker to perform blind SSRF to other systems accessible from the XM Fax server. This issue affects XM Fax: 24.2...

CVE-2025-8055 SSRF vulnerability have been discovered in OpenText™ XM Fax

Server-Side Request Forgery SSRF vulnerability in OpenText™ XM Fax allows Server Side Request Forgery. The vulnerability could allow an attacker to perform blind SSRF to other systems accessible from the XM Fax server. This issue affects XM Fax: 24.2...

CVE-2024-41664

Canarytokens help track activity and actions on a network. Prior to sha-8ea5315, Canarytokens.org was vulnerable to a blind SSRF in the Webhook alert feature. When a Canarytoken is created, users choose to receive alerts either via email or via a webhook. If a webhook is supplied when a Canarytok...

CVE-2025-58441 Knowage is vulnerable to blind server-side request forgery (SSRF)

Knowage is an open source analytics and business intelligence suite. Prior to version 8.1.37, there is a blind server-side request forgery vulnerability. The vulnerability allows attackers to send requests to arbitrary hosts/paths. Since the attacker is not able to read the response, the impact o...

CVE-2025-10735

The CVE-2025-10735 entry concerns the WordPress plugin Block for Mailchimp – Easy Mailchimp Form Integration, affected up to version 1.1.12. Multiple sources (Wordfence, CNVD, RH, NVD, Patchstack) describe a blind Server-Side Request Forgery (SSRF) vulnerability exploitable via the mcbSubmit_Form...

PT-2023-29777 · Umputun · Remark42

Name of the Vulnerable Software and Affected Versions: umputun remark42 versions 1.12.1 and before Description: The issue is related to a Blind Server-Side Request Forgery SSRF vulnerability. No information is provided about the estimated number of potentially affected devices worldwide or...

CVE-2022-32457

Digiwin BPM has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform Blind SSRF attack to discover internal network topology base on URL error response...

PT-2022-13702 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 12.1 through 14.7.7 GitLab CE/EE versions 14.8 through 14.8.5 GitLab CE/EE versions 14.9 through 14.9.2 Description: A blind SSRF attack was possible through the repository mirroring feature. Recommendations: For version...