BMC FootPrints 'feedUrl' - Server-Side Request Forgery

BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery SSRF vulnerability in the /footprints/servicedesk/externalfeed/RSS endpoint. The 'feedUrl' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling...

EUVD-2026-31379

In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...

CVE-2026-7890 Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block

In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...

CVE-2026-7890 Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block

In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...

PT-2026-42580

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier Description The RSS Displayer block accepts a feed URL from page editors and fetches it server-side without proper validation. This lack of validation allows for redirect-to-internal bypasses, where an...

CVE-2026-44515

CVE-2026-44515 : Nextcloud News is vulnerable to blind SSRF in versions prior to 28.3.0-beta.1. An authenticated user can add feeds by URL, including internal/private IPs or localhost, causing the server to perform server-side HTTP requests to attacker-controlled destinations without relaying res...

CVE-2026-44515 Nextcloud News: Authenticated blind SSRF via feed URL

Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL via the web interface or the API. In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or...

CVE-2026-44515 Nextcloud News: Authenticated blind SSRF via feed URL

Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL via the web interface or the API. In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or...

CVE-2026-44515

Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL via the web interface or the API. In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or...

PT-2026-40964

Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL via the web interface or the API. In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or...

CVE-2022-50412

creationtimestamp| type| source ---|---|--- 2025-12-03 14:14:49+00:00| seen| https://vulnerability.circl.lu/bundle/816dcc8e-f25a-4895-9b59-1bbd9caeccb8...

EUVD-2008-3893

Malware in sbrugna...

EUVD-2012-1974

Malware in sbrugna...

CVE-2025-5015

A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one...

PT-2025-23855 · Freshrss · Freshrss

Name of the Vulnerable Software and Affected Versions: FreshRSS versions prior to 1.26.2 Description: The issue allows an attacker to poison feed favicons by manipulating the feed URL and proxy settings, potentially replacing favicons for all users. This is possible because the favicon hash...

CVE-2023-24060

Haven 5d15944 allows Server-Side Request Forgery SSRF via the feedurl= Feeds functionality. Authenticated users with the ability to create new RSS Feeds or add RSS Feeds can supply an arbitrary hostname or even the hostname of the Haven server itself. NOTE: this product has significant usage but...

SUSE CVE-2015-4483

Mozilla Firefox before 40.0 allows man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request...

CVE-2023-24060

Haven 5d15944 allows Server-Side Request Forgery SSRF via the feedurl= Feeds functionality. Authenticated users with the ability to create new RSS Feeds or add RSS Feeds can supply an arbitrary hostname or even the hostname of the Haven server itself. NOTE: this product has significant usage but...

CVE-2015-4483

Mozilla Firefox before 40.0 allows man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request...

CVE-2015-4483

CVE-2015-4483 affects Mozilla Firefox up to version 40.0. A vulnerability in the feed: protocol combined with POST requests can bypass the browser’s mixed-content protections, enabling MITM-scripted content on a page. Remediation: upgrade to the latest Firefox (40.0+).