529 matches found
PT-2026-42674
Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.04.1 Description The request-filtering-agent Server-Side Request Forgery SSRF protection is non-functional in the Slack, Discord, Mattermost, and Teams notification webhook plugins. This occurs because the httpAge...
PT-2026-42653
Summary A Server-Side Request Forgery SSRF vulnerability in get image info allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services e.g., AWS 169.254.169.254. This is a blind SSRF with confirmed internal port scanni...
GHSA-J3FJ-QPPJ-FMMC Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer
Summary The fix for GHSA-6jxm-fv7w-rw5j CVE-2026-23845, "Server-Side Request Forgery SSRF via HTML Check API", shipped in mailpit v1.28.3, hardened internal/htmlcheck/css.go::downloadCSSToBytes with a 5MB size cap, a text/css content-type check, login-info stripping in isValidURL, and an opt-in...
Server-side Request Forgery (SSRF)
Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the req function. An attacker can access internal services and sensitive cloud metadata by leveraging HTTP redirects through an attacker-controlled server,...
GHSA-96FF-GC8G-WPVG DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool
Summary The fetchurl tool validates the initial URL's resolved IP address against a restricted-IP blocklist isrestrictedip to prevent SSRF attacks against internal services cloud metadata endpoints, localhost, private networks. However, the HTTP client reqwest is configured to automatically follo...
CVE-2026-42281 MagicMirror²: Unauthenticated SSRF via /cors endpoint
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery SSRF vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadat...
MagicMirror 代码问题漏洞
MagicMirror is an open-source modular smart mirror platform developed by MagicMirror. Versions of MagicMirror prior to 2.36.0 had code vulnerabilities. These vulnerabilities stemmed from unauthorized server-side request forgery through the /cors endpoint, which could allow any remote attacker to...
PT-2026-41165
Name of the Vulnerable Software and Affected Versions CodeWhale versions prior to 0.8.22 Description The fetch url tool implements a check using the is restricted ip function to validate the resolved IP address of an initial URL against a blocklist of restricted IPs, such as localhost, private...
PT-2026-41172
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description A Server-Side Request Forgery SSRF bypass exists in the validate url function located in backend/open webui/retrieval/web/utils.py. The function calls validators.ipv6ip, private=True, but because...
CVE-2026-42345
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith check against a hardcoded list. This check can be bypassed using at least 7 different...
CVE-2026-42141
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery SSRF vulnerability in the Xibo CMS allows users with Library upload permissions to make arbitrary HTTP requests fr...
CVE-2026-43929 ssrfcheck: Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
ssrfcheck is a library that checks if a string contains a potential SSRF attack. In 1.3.0 and earlier, ssrfcheck fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address e.g. http://::ffff:127.0.0.1/. The WHATWG URL parser bui...
CVE-2026-43993 JunoClaw: SSRF in WAVS computeDataVerify allows cloud-metadata and internal-service access
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch on agent-supplied URLs without validating scheme, port, or resolved IP, resulting in an SSRF vulnerability. This vulnerability is fixed in 0.x.y-security-1...
CVE-2026-43993 JunoClaw: SSRF in WAVS computeDataVerify allows cloud-metadata and internal-service access
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch on agent-supplied URLs without validating scheme, port, or resolved IP, resulting in an SSRF vulnerability. This vulnerability is fixed in 0.x.y-security-1...
CVE-2026-43993
CVE-2026-43993 : In JunoClaw’s WAVS bridge, the function computeDataVerify fetched agent-supplied URLs without validating the URL scheme, port, or resolved IP, enabling an SSRF vulnerability. Affected version range is prior to 0.x.y-security-1 . This could allow access to cloud-metadata and inter...
Exploit for Server-Side Request Forgery in Rbaskets Request_Baskets
CVE-2023-27163 — request-baskets SSRF Exploit I wrote this ex...
GHSA-65H7-C7C4-MGHX MLflow Has a Server-Side Request Forgery (SSRF) Vulnerability
A Server-Side Request Forgery SSRF vulnerability exists in MLflow versions prior to 3.9.0. The createwebhook function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the sendwebhookrequest function in mlflow/webhooks/delivery.py sends HTTP POST request...
CVE-2026-42858
Open edX Platform enables the authoring and delivery of online learning at any scale. The syncproviderdata endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadataurl POST parameter. This URL is passed directly to requests.get in...
CVE-2026-2393
A Server-Side Request Forgery SSRF vulnerability exists in MLflow versions prior to 3.9.0. The createwebhook function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the sendwebhookrequest function in mlflow/webhooks/delivery.py sends HTTP POST request...
CVE-2026-42858 Open edX Platform: Server-Side Request Forgery (SSRF) in SAML Provider Data Sync Endpoint
Open edX Platform enables the authoring and delivery of online learning at any scale. The syncproviderdata endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadataurl POST parameter. This URL is passed directly to requests.get in...