Lucene search
K

185 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/22 8:0 p.m.4 views

CVE-2026-55599

phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature reads a URL out of that certificate's Authority Information Access AIA extension and connects to it...

5.8CVSS5.9AI score0.00133EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.10 views

CVE-2026-44363

MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTPS URLs without sufficient validation, which could allo...

5.8CVSS5.6AI score0.00102EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/29 3:12 p.m.37 views

CVE-2026-33386 XSS in QuickCMS

QuickCMS is vulnerable to Cross-Site Scripting XSS through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle MITM attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a...

2.3CVSS0.00185EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/28 6:27 p.m.15 views

compliance-trestle Vulnerable to SSRF in Remote Fetching Subsystem

A source code audit led to the discovery of three significant security vulnerabilities in the trestle/core/remote/cache.py module. Finding 1 Critical: SSRF CWE-918 The HTTPSFetcher.dofetch method passes a user-supplied URL directly to requests.get without validation. This allows an attacker to...

6AI score0.00012EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.13 views

PT-2026-44731

A source code audit led to the discovery of three significant security vulnerabilities in the trestle/core/remote/cache.py module. Finding 1 Critical: SSRF CWE-918 The HTTPSFetcher. do fetch method passes a user-supplied URL directly to requests.get without validation. This allows an attacker to...

6.7CVSS6AI score0.00012EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/27 10:57 p.m.6 views

Directory Traversal

Overview compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models Affected versions of this package are vulnerable to Directory Traversal through remote cache fetching. An attacker can write arbitrary files to locations outside the intended cache...

8.8CVSS6.3AI score0.00047EPSS
Exploits0References3
OSV
OSV
added 2026/05/19 4:57 p.m.8 views

MAL-2026-4503 Malicious code in bytecore (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c1ddd2dea35052822d2dc89f0f46ceae20c772c257e0c97f0024483e9ff31c0 The package masquerades as a pino-like logging middleware README is copied from pino, exports a pino property, mimics pino's option shape but the...

5.9AI score
Exploits0References1
CVE
CVE
added 2026/05/13 7:16 p.m.14 views

CVE-2026-44363

The CVE-2026-44363 issue affects MISP modules (misp-modules), specifically the html_to_markdown and qrcode modules. Root cause: unsafe remote resource fetching and insufficient URL validation, with qrcode also disabling TLS certificate verification. Impact: potential Server-Side Request Forgery (...

5.8CVSS6AI score0.00102EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/13 7:16 p.m.7 views

CVE-2026-44363

MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTPS URLs without sufficient validation, which could allo...

5.8CVSS6AI score0.00102EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/05/13 6:8 p.m.27 views

CVE-2026-0258 PAN-OS: Server-Side Request Forgery (SSRF) in IKEv2 Certificate URL Fetching

A server-side request forgery SSRF vulnerability in the IKEv2 implementation of Palo Alto Networks PAN-OS® software allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations or cause a denial of service DoS condition. Panorama, Cloud NGFW and...

8.3CVSS0.00317EPSS
Exploits0References1
CVE
CVE
added 2026/05/13 6:8 p.m.32 views

CVE-2026-0258

CVE-2026-0258 describes a server-side request forgery (SSRF) in the IKEv2 components of PAN-OS. An unauthenticated attacker could cause the firewall to issue network requests to unintended destinations or trigger a DoS condition. Affected scope is PAN-OS IKEv2 certificate URL fetching (per CVE re...

8.3CVSS5.8AI score0.00317EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/08 10:17 p.m.19 views

CVE-2026-44286 FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing Internal Address Validation

FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery SSRF vulnerability allows attackers or authenticated users with App editing privileges to send arbitrary HTTP requests to internal/private network addresses. The fetchData function i...

2.3CVSS5.9AI score0.00228EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.12 views

go-git 安全漏洞

go-git is an open-source, highly scalable Git implementation written entirely in Go. Versions of go-git prior to 5.18.0 and 6.0.0-alpha.2 contained security vulnerabilities. These vulnerabilities were due to a flaw where, during intelligent HTTP cloning and fetch operations, redirecting could lea...

7.4CVSS5.8AI score0.00259EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/28 5:15 p.m.6 views

EUVD-2026-26074

A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit ha...

6.5CVSS6.2AI score0.00206EPSS
Exploits0References5
CVE
CVE
added 2026/04/28 5:15 p.m.13 views

CVE-2026-7291

Technical details (affected products, versions, root cause, impact, and remediation) are not publicly available in the provided documents; monitor for updates.

6.5CVSS6.3AI score0.00206EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/28 5:15 p.m.33 views

CVE-2026-7291 o2oa URL Fetching FileAction.java FileAction server-side request forgery

A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit ha...

6.5CVSS0.00206EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.5 views

PT-2026-35752

A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit ha...

6.5CVSS6.2AI score0.00206EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/09 5:48 p.m.17 views

CVE-2026-35207 deepinid plugin in dde-control-center is configured to skip TLS certificate verification when downloading avatar from remote server

dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from...

5.4CVSS0.00148EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/09 3:43 p.m.17 views

CVE-2026-39843 Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address ...

7.7CVSS0.00246EPSS
Exploits1References1
CVE
CVE
added 2026/04/09 3:43 p.m.16 views

CVE-2026-39843

CVE-2026-39843 affects Plane prior to 1.3.0. The favicon fetch path is vulnerable because fetch_and_encode_favicon() uses a redirects-enabled request, allowing Server-Side Request Forgery when a page contains a link tag with an href redirecting to a private IP, supplied by an authenticated attack...

7.7CVSS5.9AI score0.00246EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder