Lucene search
K

3 matches found

Github Security Blog
Github Security Blog
added 2026/04/10 7:28 p.m.5 views

PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API

Summary The /api/v1/runs endpoint accepts an arbitrary webhookurl in the request body with no URL validation. When a submitted job completes success or failure, the server makes an HTTP POST request to this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server...

10CVSS6.2AI score0.0028EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/02/26 12:36 a.m.9 views

CVE-2026-27829 Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize

Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an inferSize option that fetches remote images at rend...

6.5CVSS5.9AI score0.00281EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2025/10/11 9:28 a.m.4 views

CVE-2025-9975 WP Scraper <= 5.8.1 - Authenticated (Administrator+) Server-Side Request Forgery

The WP Scraper plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.8.1 via the wpscraperextractcontent function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary...

6.8CVSS5.4AI score0.00313EPSS
Exploits0References3
Rows per page
Query Builder