CVE-2025-1026

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. Note: This is a bypass of the fix for CVE-2024-21549...

CVE-2025-1022

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html, which can be bypassed by omitting the slashes in the file URI e.g., file:../../../../etc/passwd. This is due to missing validations of the use...

EUVD-2025-0238

Malicious code in bioql PyPI...

EUVD-2025-9704

Malicious code in bioql PyPI...

EUVD-2022-5235

Malicious code in bioql PyPI...

EUVD-2024-3576

Malicious code in bioql PyPI...

EUVD-2025-0240

Malicious code in bioql PyPI...

EUVD-2022-7274

Malicious code in bioql PyPI...

EUVD-2024-3613

Malicious code in bioql PyPI...

EUVD-2022-7259

Malicious code in bioql PyPI...

EUVD-2022-7280

Malicious code in bioql PyPI...

EUVD-2024-3469

Malicious code in bioql PyPI...

CVE-2022-43983

Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol...

CVE-2022-43984

Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protoc...

CVE-2022-41706

Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method...

Server Side Request Forgery (SSRF)

spatie/browsershot is vulnerable to Server-side Request Forgery SSRF. The vulnerability is due to a missing restriction on user input in the setUrl function, allowing attackers to access localhost and list its directories...

CVE-2025-3192

Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery SSRF in the setUrl function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories...

GHSA-QW64-6VCC-8GHX Browsershot Server-Side Request Forgery (SSRF) via setURL() Function

Versions of the package spatie/browsershot from 0.0.0 to 5.0.3 are vulnerable to Server-side Request Forgery SSRF in the setUrl function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories...

Browsershot Server-Side Request Forgery (SSRF) via setURL() Function

Versions of the package spatie/browsershot from 0.0.0 to 5.0.3 are vulnerable to Server-side Request Forgery SSRF in the setUrl function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories...

CVE-2025-3192

Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery SSRF in the setUrl function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories...