1393 matches found
CVE-2026-36604
Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...
CVE-2026-33659
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery SSRF via a DNS rebinding TOCTOU condition. Host validation uses dnsgetrecord but the actual HTTP...
CVE-2026-45619
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...
CVE-2026-42194
Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetchmetadata.php validates the resolved IP address but passes the original hostname-based URL to curlinit, leaving a DNS rebinding TOCTOU window that allows redirecting requests to...
CVE-2026-41688
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname but passes the original hostname to cURL without CURLOPTRESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS...
CVE-2026-9739
Vulnerable to DNS rebinding attacks when using SSE http://b/499408790. During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: header in the SSE initialization handler was inadvertentl...
CVE-2026-35568
MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to 1.0.0, the java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, o...
CVE-2026-36604
Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...
CVE-2026-36604
Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...
CVE-2026-36604
Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...
PT-2026-45992
Mercusys AC12G EU V1 router with firmware AC12GEU V1 200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...
MindsDB -DNS Rebinding SSRF Protection Bypass
Detects DNS rebinding vulnerability that allows bypass of SSRF protection. The vulnerability exists in the URL validation mechanism where DNS resolution is performed without considering DNS rebinding attacks. id: CVE-2024-24759 info: name: MindsDB -DNS Rebinding SSRF Protection Bypass author: Lee...
CVE-2026-45619
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...
CVE-2026-45619 AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...
CVE-2026-45619
Summary: WWBN AVideo prior to 29.0 allowed SSRF via isSSRFSafeURL() because subsequent fetches used file_get_contents() with redirects enabled. Two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) validate the URL but do not prevent redirects, enabling a redirect-based DNS re...
CVE-2026-45619
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...
CVE-2026-45619 AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...
EUVD-2026-32672
Vulnerable to DNS rebinding attacks when using SSE http://b/499408790. During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: header in the SSE initialization handler was inadvertentl...
CVE-2026-9739
Vulnerable to DNS rebinding attacks when using SSE http://b/499408790. During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: header in the SSE initialization handler was inadvertentl...
CVE-2026-9739
Vulnerable to DNS rebinding attacks when using SSE http://b/499408790. During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: header in the SSE initialization handler was inadvertentl...