16 matches found
Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections
Summary The metascraper-logo-favicon plugin makes HTTP requests to URLs extracted from attacker-controlled HTML without going through the application's validateUrl SSRF protections. This allows any authenticated user to make the server fetch arbitrary internal URLs by bookmarking a page containin...
GHSA-VMH7-9C7H-2PGG auto-favicon has a Server-Side Request Forgery issue
A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generatefaviconfromurl of the file src/autofavicon/server.py of the component MCP Tool. The manipulation of the argument imageurl results in server-side request forgery...
Server-side Request Forgery (SSRF)
Overview auto-favicon is an A Model Context Protocol server providing tools for automatic favicon generation from PNG images or URLs Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the generatefaviconfromurl function. An attacker can cause the server to ma...
CVE-2026-7150
A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generatefaviconfromurl of the file src/autofavicon/server.py of the component MCP Tool. The manipulation of the argument imageurl results in server-side request forgery...
CVE-2026-3332
The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...
CVE-2026-3332
The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...
CVE-2026-3332 Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update
The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...
CVE-2026-3332
The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...
CVE-2026-3332 Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update
The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...
CVE-2026-3332
The CVE concerns the Xhanch - My Advanced Settings plugin for WordPress, vulnerable in all versions up to 1.1.2 due to missing nonce validation in the xms_setting() function on the settings update handler. This enables unauthenticated attackers to modify plugin settings via forged requests if a s...
PT-2026-26848
The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xms setting function on the settings update handler. This makes it possible for unauthenticated attackers ...
EUVD-2023-51263
Malicious code in bioql PyPI...
CVE-2023-47120
Discourse is an open source platform for community discussion. In versions 3.1.0 through 3.1.2 of the stable branch and versions 3.1.0,beta6 through 3.2.0.beta2 of the beta and tests-passed branches, Redis memory can be depleted by crafting a site with an abnormally long favicon URL and drafting...
Design/Logic Flaw
Discourse is an open source platform for community discussion. In versions 3.1.0 through 3.1.2 of the stable branch and versions 3.1.0,beta6 through 3.2.0.beta2 of the beta and tests-passed branches, Redis memory can be depleted by crafting a site with an abnormally long favicon URL and drafting...
CVE-2023-47120 Discourse DoS through Onebox favicon URL
Discourse is an open source platform for community discussion. In versions 3.1.0 through 3.1.2 of the stable branch and versions 3.1.0,beta6 through 3.2.0.beta2 of the beta and tests-passed branches, Redis memory can be depleted by crafting a site with an abnormally long favicon URL and drafting...
Fav-Up - IP Lookup By Favicon Using Shodan
Lookups for real IP starting from the favicon icon and using Shodan. Installation pip3 install -r requirements.txt Shodan API key not the free one Usage CLI First define how you pass the API key: -k or --key to pass the key to the stdin -kf or --key-file to pass the filename which get the key fro...