19 matches found
CVE-2026-60105
Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obta...
EUVD-2026-42427
Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obta...
PT-2026-56613
Name of the Vulnerable Software and Affected Versions Monsta FTP versions prior to 2.14.5 Description An unauthenticated attacker can trigger a server-side request forgery SSRF by bypassing an IP blocklist. The issue occurs in the fetchRemoteFile action due to an incomplete check in the isBlocked...
Malicious code in crazehub (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53d37c0e75f63e9da7adcc1f71f8b67a665d080342df6857a15dadc297e4f075 crazehub/init.py performs multiple user-hostile actions at import time. Lines 2-3 unconditionally run os.system"pip install phonenumbers" and...
CVE-2026-42261
PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body up t...
PT-2026-38645
Name of the Vulnerable Software and Affected Versions PromptHub versions 0.4.9 through 0.5.3 Description An authenticated endpoint "/api/skills/fetch-remote" fetches a user-supplied URL server-side and reflects the response body back to the caller. The Server-Side Request Forgery SSRF protection ...
CVE-2026-32982
OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to lo...
Insertion of Sensitive Information into Log File
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the fetchRemoteMedia function. An attacker can obtain sensitive bot tokens by triggering Telegram media fetch errors that cause the...
Directory Traversal
Overview @google/clasp is a Develop Apps Script Projects locally Affected versions of this package are vulnerable to Directory Traversal in the fetchRemote function in files.ts. An attacker can overwrite files outside the intended project directory via pull and clone commands. Details A Directory...
EUVD-2011-4811
Malware in sbrugna...
CVE-2022-30781
Gitea before 1.16.7 does not escape git fetch remote...
CVE-2022-30781
Gitea before 1.16.7 does not escape git fetch remote...
CVE-2022-30781
Gitea before 1.16.7 does not escape git fetch remote...
Gitea 安全漏洞
Gitea is a lightweight Go-based git service developed by the Gitea community. A security vulnerability exists in Gitea version 1.16.7 that stems from not escaping the git fetch remote...
PT-2022-17575 · Unknown · Workspace-Tools
Name of the Vulnerable Software and Affected Versions: workspace-tools versions prior to 0.18.4 Description: The issue concerns Command Injection via git argument injection. When the fetchRemoteBranchremote: string, remoteBranch: string, cwd: string function is called, both the remote and...
PT-2022-20314
Name of the Vulnerable Software and Affected Versions Gitea versions 1.16.6 and prior Description The issue is related to the improper handling of git fetch, allowing for shell command injection. This is due to the lack of escaping for the git fetch remote. There is no information provided about...
DEBIAN-CVE-2022-25648
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetchremote = 'origin', opts = function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform...
CVE-2016-9417
The fetchremotefile function in MyBB aka MyBulletinBoard before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery SSRF attacks via unspecified vectors...
Server side request forgery (ssrf)
The fetchremotefile function in MyBB aka MyBulletinBoard before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery SSRF attacks via unspecified vectors...