Server-side Request Forgery (SSRF)

Overview pydantic-ai-slim is an Agent Framework / shim to use Pydantic with LLMs, slim package Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via incomplete blocklist in isprivateip function when forcedownload='allow-local' is enabled. An attacker can access...

EUVD-2026-26883

A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The...

CVE-2026-7291

A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit ha...

CVE-2026-7291

Technical details (affected products, versions, root cause, impact, and remediation) are not publicly available in the provided documents; monitor for updates.

CVE-2026-35668

OpenClaw contains a path traversal vulnerability in its sandbox enforcement prior to version 2026.3.24. The flaw allows sandboxed agents to read arbitrary files from other agents’ workspaces through unnormalized mediaUrl and fileUrl parameter keys, due to incomplete parameter validation in normal...

EUVD-2026-21482

OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in...

CVE-2026-35668

OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in...

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the mediaUrl and fileUrl parameters, which bypass validation of localRoots. An attacker can access arbitrary files on the local filesystem by supplying crafted...

OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)

Fixed in OpenClaw 2026.3.24, the current shipping release. Advisory Details Title: Sandbox Media Root Bypass via Unnormalized mediaUrl / fileUrl Parameter Keys CWE-22 Description: Summary A path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary...

easegen-admin 路径遍历漏洞

easegen-admin is a digital human course creation platform developed by taoofagi. Easegen-admin has a path traversal vulnerability, which stems from incorrect handling of the parameter fileUrl in the file...

CVE-2026-2945

A weakness has been identified in JeecgBoot 3.9.0. Affected by this vulnerability is an unknown functionality of the file /sys/common/uploadImgByHttp. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. The attack may be launched remotely. The exploit has bee...

CVE-2025-9208

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL,...

CVE-2025-68155

The CVE concerns @vitejs/plugin-rsc (used with Vite) in development mode. Prior to version 0.5.8, the endpoint /__vite_rsc_findSourceMapURL accepts a file:// URL in the filename query parameter, converts it to a filesystem path, and reads the target file without validating its location, returning...

EUVD-2002-1749

Malware in sbrugna...

EUVD-2008-4889

Malware in sbrugna...

EUVD-2023-31869

Malicious code in bioql PyPI...

EUVD-2022-52824

Malicious code in bioql PyPI...

CVE-2023-3121

A vulnerability has been found in Dahua Smart Parking Management up to 20230528 and classified as problematic. This vulnerability affects unknown code of the file /ipms/imageConvert/image. The manipulation of the argument fileUrl leads to server-side request forgery. The exploit has been disclose...

Butterfly has path/URL confusion in resource handling leading to multiple weaknesses

Summary The Butterfly framework uses the java.net.URL class to refer to what are expected to be local resource files, like images or templates. This works: "opening a connection" to these URLs opens the local file. However, if a file:/ URL is directly given where a relative path resource name is...

WordPress KAP Theme 2.0 Directory Traversal

==================================================================================================================================== | Title : Wordpress KAP-theme v2.0 Directory Traversal Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox...