CVE-2026-28680 Ghostfolio: Full-Read SSRF in Manual Asset Import

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata IMDS or probe internal network services. This issue has been patched in...

CVE-2024-12450

In infiniflow/ragflow versions 0.12.0, the webcrawl function in documentapp.py contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF...

CVE-2024-12450 RCE, Full Read SSRF, and Arbitrary File Read in infiniflow/ragflow

In infiniflow/ragflow versions 0.12.0, the webcrawl function in documentapp.py contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF...

CVE-2024-12450

CVE-2024-12450 affects infiniflow/ragflow 0.12.0, where web_crawl in document_app.py does not filter URL parameters, enabling Full Read SSRF to access internal addresses via the generated PDFs, and allows Arbitrary File Read through the file:// protocol. The underlying Chromium headless is used w...