PT-2026-38308

Name of the Vulnerable Software and Affected Versions MISP Modules versions prior to 3.0.7 Description Unsafe remote resource fetching exists in expansion modules. The html to markdown module accepts arbitrary HTTPS URLs without sufficient validation, enabling Server-Side Request Forgery SSRF—a...

GHSA-2HCH-C97C-G99X AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()

Summary Two endpoints in AVideo call isSSRFSafeURL to validate user-supplied URLs, then fetch them using bare filegetcontents without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an...

AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction

Summary objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller including unauthenticated visitors, which defeats the admin-only guard...

External Control of File Name or Path

Overview @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol GEP for auditable, reusable evolution assets. Affected versions of this package are vulnerable to External Control of File Name or Path via the fetch...

@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE)

Summary The evolver fetch subcommand in index.js writes Hub-supplied bundledfiles into a directory derived from a Hub-supplied skillid. When --out is not used, the path-sanitizing regex permits . characters, allowing a skillid of .. to escape the skills/ subdirectory and resolve to the user's...

GHSA-CFCJ-HQPF-HCCF @evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE)

Summary The evolver fetch subcommand in index.js writes Hub-supplied bundledfiles into a directory derived from a Hub-supplied skillid. When --out is not used, the path-sanitizing regex permits . characters, allowing a skillid of .. to escape the skills/ subdirectory and resolve to the user's...

Server-side Request Forgery (SSRF)

Overview open-websearch is a web search the internet Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchWebContent process. An attacker can access internal network resources and retrieve sensitive information by supplying specially crafted URLs that...

open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`

Summary src/utils/urlSafety.ts exposes isPublicHttpUrl / assertPublicHttpUrl, used to gate the MCP fetchWebContent tool against private-network targets. The check has two defects that together allow non-blind SSRF with the response body returned to the caller: 1. Bracketed IPv6 literals are never...

GHSA-V228-72C7-FX8J open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`

Summary src/utils/urlSafety.ts exposes isPublicHttpUrl / assertPublicHttpUrl, used to gate the MCP fetchWebContent tool against private-network targets. The check has two defects that together allow non-blind SSRF with the response body returned to the caller: 1. Bracketed IPv6 literals are never...

link-preview-js vulnerable to IPv6 and internal loopback attacks

Impact The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. Patches Problem has been patched in version 4.0.1. However, it cannot be completely solved by the package alone. T...

Server-side Request Forgery (SSRF)

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the fetchmetadata.php process. An attacker can access internal network resources or sensitive clo...

Admidio has an incomplete fix for CVE-2026-32812 (SSRF)

Summary The incomplete SSRF fix in Admidio's fetchmetadata.php validates the resolved IP address but passes the original hostname-based URL to curlinit, leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. Affected Package - Ecosystem: Other - Package: admidio -...

gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data

Summary Multiple denial-of-service vectors in gix-pack: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch. Details Bug 1: Unchecked array...

GHSA-X494-MJ8G-CJ27 gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data

Summary Multiple denial-of-service vectors in gix-pack: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch. Details Bug 1: Unchecked array...

Server-side Request Forgery (SSRF)

Overview firefighter-incident is an Incident Management tool made for Slack using Django Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the CreateJiraBotView class. An attacker can access internal resources and exfiltrate sensitive data by submitting...

GHSA-M68R-V472-JGQ9 JupyterHub has cross-origin form POSTs bypass XSRF (CWE-352)

Summary JupyterHub's XSRF protection updated in 4.1.0 inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, which they are not, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attacke...

Server-side Request Forgery (SSRF)

Overview edx-enterprise is a Your project description goes here Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the syncproviderdata function. An attacker can cause the server to make arbitrary HTTP requests to internal or external resources by supplying a...

CVE-2026-43526

OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded...

CVE-2026-43526

OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded...

EUVD-2026-27263

OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded...