PT-2026-42735

The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for...

GHSA-WP38-WHX3-XFFH AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass

Summary An authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. When any other user including a second account owned by the same attacker...

CVE-2026-40107

Summary: SiYuan before 3.6.4 configures Mermaid.js with securityLevel: loose and htmlLabels: true, allowing tags to survive DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary sanitization. When a user opens a note containing a malicious Mermaid diagram, the El...

EUVD-2025-208873

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to...

CVE-2025-8055

OpenText XM Fax is affected by a Server-Side Request Forgery (SSRF) in version 24.2. The vulnerability permits blind SSRF to other systems reachable from the XM Fax server. The linked documents confirm the issue and affected product/version but do not provide exploitation details or a remediation...

WordPress plugin RSS Aggregator by Feedzy 代码问题漏洞

WordPress RSS Aggregator by Feedzy is a lightweight plugin designed for WordPress that focuses on automatically grabbing content from external RSS feeds and syndicating it to your website. WordPress RSS Aggregator by Feedzy has a code issue vulnerability that stems from the existence of a blind...

CVE-2025-13872

Blind Server-Side Request Forgery SSRF in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests to an arbitrary destination...

CVE-2025-10705

The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.4.6. This is due to insufficient validation of user-supplied URLs in the PDF processing functionality. This makes it possible for unauthenticated...

WP Crontrol Authenticated (Administrator+) plugin vulnerable to Blind Server-Side Request Forgery

Impact The WP Crontrol plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the wpremoterequest function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations...

Linux Distros Unpatched Vulnerability : CVE-2022-4201

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local...

CVE-2022-0671

A flaw was found in vscode-xml in versions prior to 0.19.0. Schema download could lead to blind SSRF or DoS via a large file...

CVE-2020-29445

Affected versions of Confluence Server before 7.4.8, and versions from 7.5.0 before 7.11.0 allow attackers to identify internal hosts and ports via a blind server-side request forgery vulnerability in Team Calendars parameters...