Lucene search
K

185 matches found

CVE
CVE
added 2026/04/07 2:49 p.m.9 views

CVE-2026-35486

CVE-2026-35486 affects text-generation-webui prior to 4.3, where the superbooga/superboogav2 RAG extensions fetch user-supplied URLs via requests.get() without validation. The root cause is lack of URL scheme validation, IP filtering, and hostname allowlisting, enabling an attacker to reach cloud...

7.5CVSS5.9AI score0.004EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/04/07 2:49 p.m.6 views

EUVD-2026-19671

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get with zero validation — no scheme check, no IP filtering, no hostname allowlist. An attacker can access clo...

7.5CVSS5.9AI score0.004EPSS
Exploits1References1
Snyk
Snyk
added 2026/04/02 8:59 p.m.3 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the process that fetches quoted, root, or thread context messages, which bypasses the sender allowlist. An attacker can access message content from unauthorized...

5.3CVSS5.9AI score
Exploits0References2
Metasploit
Metasploit
added 2026/04/02 7:2 p.m.197 views

HTTPS Fetch, Hidden Bind TCP Stager

Fetch and execute an x86 payload from an HTTPS server. Listen for a connection from a hidden port and spawn a command shell to the allowed host. Module Options msf use payload/cmd/windows/https/x86/dllinject/bindhiddentcp msf payloadbindhiddentcp show actions ...actions... msf payloadbindhiddentc...

6AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.6 views

CVE-2026-32030

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the...

8.2CVSS5.9AI score0.00344EPSS
Exploits0References1
CVE
CVE
added 2026/03/19 10:7 p.m.10 views

CVE-2026-32030

OpenClaw is affected in versions prior to 2026.2.19 by a path traversal vulnerability in the stageSandboxMedia function when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the OpenClaw process on the configur...

8.2CVSS6AI score0.00344EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/19 10:7 p.m.4 views

CVE-2026-32030 OpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the...

8.2CVSS5.9AI score0.00344EPSS
Exploits0References3
OSV
OSV
added 2026/03/10 8:24 a.m.6 views

MAL-2026-1320 Malicious code in chain-promised-await (npm)

Remote code execution via fetching code from a remote URL and Discord webhook usage indicates malicious intent. Single version adds to suspicion. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b5b882a33fdd394ef7a848100d8ee39ef4c7f0747942b4bea86e38af5780c978 The...

6.3AI score
Exploits0References2
CVE
CVE
added 2026/03/05 9:59 p.m.25 views

CVE-2026-28451

CVE-2026-28451 affects OpenClaw prior to 2026.2.14. The Feishu extension contains server-side request forgery (SSRF) in two paths: sendMediaFeishu(mediaUrl) and markdown image processing in Feishu DocX. An attacker who can influence tool calls or prompt injection can trigger requests to attacker-...

9.3CVSS5.9AI score0.00275EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/05 9:59 p.m.0 views

CVE-2026-28451 OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls...

8.3CVSS5.8AI score0.00275EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/05 9:59 p.m.36 views

CVE-2026-28451 OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls...

8.3CVSS0.00275EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/27 10:17 p.m.6 views

CVE-2026-27759

Featured Image from Content featured-image-from-content WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources. Attackers can exploit insecure URL fetching and file write operations ...

5.3CVSS5.9AI score0.00234EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/02/25 12:0 a.m.10 views

karakeep 跨站脚本漏洞

Karakeep is an open-source bookmarking app developed by Karakeep App. Version 0.30.0 of Karakeep contains a cross-site scripting vulnerability. This vulnerability arises from the Reddit meta-fetching plugin not using DOMPurify to clean HTML content, allowing malicious HTML to be executed in users...

8.2CVSS5.6AI score0.00319EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/02/03 3:18 p.m.12 views

CVE-2026-0599

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET...

7.5CVSS5.5AI score0.22494EPSS
Exploits0References1
OSV
OSV
added 2026/02/02 11:16 a.m.8 views

CVE-2026-0599

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET...

7.5CVSS7.3AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/02 12:0 a.m.4 views

PT-2026-5654

Name of the Vulnerable Software and Affected Versions huggingface/text-generation-inference version 3.3.6 huggingface/text-generation-inference versions prior to 3.3.7 Description A flaw exists in huggingface/text-generation-inference that allows unauthenticated remote attackers to cause a...

7.5CVSS7.4AI score0.22494EPSS
Exploits0References8
vulnersOsv
vulnersOsv
added 2026/01/26 9:2 p.m.7 views

@kcconfigs/commitlint (>=0.1.0-beta.2 <=0.2.0), @pnpm/cache.commands (>=1000.0.52 <=1000.0.54) +35 more potentially affected by CVE-2026-23888 via @pnpm/fetching.binary-fetcher (>=1005.0.0 <=1005.0.1)

@pnpm/fetching.binary-fetcher NPM version =1005.0.0, =0.1.0-beta.2, =1000.0.52, =1001.2.17, =1001.1.13, =1016.0.0, =1002.2.21, =1003.0.24, =1002.0.3, =1000.0.52, =1001.0.16, =1001.1.10, =1002.1.28, =1000.3.8, =1002.0.23, =1000.1.51, =1000.1.53 and more Source cves: CVE-2026-23888 Source advisory:...

6.5CVSS5.8AI score0.00396EPSS
Exploits1
SUSE CVE
SUSE CVE
added 2026/01/06 12:36 a.m.5 views

SUSE CVE-2017-18888

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts...

9.8CVSS9.6AI score0.01103EPSS
Exploits0References2
NVD
NVD
added 2026/01/01 10:15 p.m.8 views

CVE-2025-15414

A flaw has been found in go-sonic sonic up to 1.1.4. The affected element is the function FetchTheme of the file service/theme/gitfetcher.go of the component Theme Fetching API. Executing a manipulation of the argument uri can lead to server-side request forgery. The attack may be launched...

5.8CVSS0.00223EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/01/01 9:32 p.m.3 views

CVE-2025-15414 go-sonic Theme Fetching API git_fetcher.go FetchTheme server-side request forgery

A flaw has been found in go-sonic sonic up to 1.1.4. The affected element is the function FetchTheme of the file service/theme/gitfetcher.go of the component Theme Fetching API. Executing a manipulation of the argument uri can lead to server-side request forgery. The attack may be launched...

5.8CVSS4.8AI score0.00223EPSS
Exploits0References5
Rows per page
Query Builder