CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/14 6:26 p.m.•1 views

GHSA-PR28-MF3Q-QPG6 Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget

Summary ApostropheCMS contains an authenticated server-side request forgery SSRF in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses,...

7.6CVSS5.8AI score

Github Security Blog•added 2026/05/14 6:26 p.m.•7 views

Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget

Exploits0References2Affected Software1

OSV•added 2026/05/14 6:26 p.m.•1 views

GHSA-7RX4-C5VX-G8W3 Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections

Summary The metascraper-logo-favicon plugin makes HTTP requests to URLs extracted from attacker-controlled HTML without going through the application's validateUrl SSRF protections. This allows any authenticated user to make the server fetch arbitrary internal URLs by bookmarking a page containin...

7.1CVSS6AI score

Exploits0References5

ATTACKERKB•added 2026/05/14 3:30 p.m.•4 views

CVE-2026-42592

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when i...

5.3CVSS5.8AI score0.00035EPSS

Exploits1References2Affected Software1

Positive Technologies•added 2026/05/14 12:0 a.m.•5 views

PT-2026-41154

7.6CVSS5.8AI score

Exploits0References3

Positive Technologies•added 2026/05/14 12:0 a.m.•4 views

PT-2026-41165

Name of the Vulnerable Software and Affected Versions CodeWhale versions prior to 0.8.22 Description The fetch url tool implements a check using the is restricted ip function to validate the resolved IP address of an initial URL against a blocklist of restricted IPs, such as localhost, private...

7.4CVSS5.7AI score0.00034EPSS

Exploits0References9

Positive Technologies•added 2026/05/14 12:0 a.m.•4 views

PT-2026-41196

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5 Description The validate url function in backend/open webui/retrieval/web/utils.py only validates the initial URL provided by the user. Downstream HTTP clients, including sync requests, async aiohttp, and...

8.5CVSS5.8AI score0.00039EPSS

Exploits1References9

NVD•added 2026/05/13 8:16 p.m.•5 views

CVE-2026-44363

MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTPS URLs without sufficient validation, which could allo...

5.8CVSS0.00007EPSS

Vulnrichment•added 2026/05/13 7:16 p.m.•1 views

CVE-2026-44363 Unsafe remote resource fetching in expansion misp-modules

5.8CVSS6AI score0.00007EPSS

OSV•added 2026/05/13 4:27 a.m.•1 views

MAL-2026-3683 Malicious code in @dropout-ai/runtime (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2121b923a39177ed68ce5cf066cbb07891b7cb5d20ecf5ec66f2c953634eff10 On require/import, src/index.js replaces global.fetch with a wrapper that intercepts every fetch whose URL matches openai.com, anthropic.com,...

OSSF Malicious Packages•added 2026/05/13 4:27 a.m.•6 views

Malicious code in @dropout-ai/runtime (npm)

OSV•added 2026/05/12 7:43 a.m.•4 views

MAL-2026-3687 Malicious code in crazehub (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53d37c0e75f63e9da7adcc1f71f8b67a665d080342df6857a15dadc297e4f075 crazehub/init.py performs multiple user-hostile actions at import time. Lines 2-3 unconditionally run os.system"pip install phonenumbers" and...

6AI score

OSSF Malicious Packages•added 2026/05/12 7:43 a.m.•6 views

Malicious code in crazehub (PyPI)

6AI score

OSV•added 2026/05/12 7:42 a.m.•1 views

MAL-2026-3682 Malicious code in @chahuadev/junk-sweeper-app (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d446150767f92344d8d0a699f5879bd746200fb8beb60554408699868f03d51 The package's postinstall script package.json line 10: "postinstall": "node install.js" unconditionally fetches a platform-native executable from...