Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)

Summary Flowise introduced SSRF protections through a centralized HTTP security wrapper httpSecurity.ts that implements deny-list validation and IP pinning logic. However, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axiosInstead of using the secured...

GHSA-QQVM-66Q4-VF5C Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)

Summary Flowise introduced SSRF protections through a centralized HTTP security wrapper httpSecurity.ts that implements deny-list validation and IP pinning logic. However, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axiosInstead of using the secured...

Weblate: SSRF via the webhook add-on using unprotected fetch_url()

Impact The webhook add-on did not utilize existing SSRF protection. Patches https://github.com/WeblateOrg/weblate/pull/18815 Workarounds Disabling the add-on would avoid misusing this. References Thanks to @Lihfdgjr for reporting this via GitHub...

CVE-2026-39845

Weblate (web-based localization tool) has a vulnerability in versions prior to 5.17 where the webhook add-on did not apply SSRF protections. The root cause is exposure via the webhook add-on’s fetch_url() path, enabling potential SSRF risks as described in the CVE entry. The issue is fixed in ver...

CVE-2026-39845 Weblate: SSRF via the webhook add-on using unprotected fetch_url()

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround...

CVE-2026-39845 Weblate: SSRF via the webhook add-on using unprotected fetch_url()

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround...

CVE-2026-40242

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation...

CVE-2026-39843

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address ...

CVE-2026-33534

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery SSRF vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation e.g.,...

CVE-2026-33534 EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery SSRF vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation e.g.,...

CVE-2026-39362

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREEDOWNLOADFROMURL is enabled opt-in, authenticated users can supply remoteimage URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation against...

GHSA-55V6-G8PM-PW4C rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration

GitHub Security Lab GHSL Vulnerability Report, rembg: GHSL-2024-161, GHSL-2024-162 The GitHub Security Lab team has identified potential security vulnerabilities in rembg. We are committed to working with you to help resolve these issues. In this report you will find everything you need to...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the url parameter in the /api/templates/fetch endpoint, which performs a server-side HTTP GET request without authentication or validation of the URL scheme or host. An attacker can access internal...

CVE-2026-40242

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation...

EUVD-2026-21599

Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint...

GHSA-FF24-4PRJ-GPMJ Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint

Summary The /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an...

Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint

Summary The /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an...

CVE-2026-40242

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation...

CVE-2026-40242 Arcane Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation...

CVE-2026-40242 Arcane Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation...