Lucene search
K

475 matches found

CNNVD
CNNVD
added 2026/03/17 12:0 a.m.6 views

libsoup 安全漏洞

Libsoup is a GNOME project’s HTTP client/server library. Libsoup has a security vulnerability that stems from improper validation of hostnames. This allows special characters to be injected into HTTP headers, potentially enabling remote attackers to execute HTTP requests with malicious payloads,...

5.5CVSS7.4AI score0.00207EPSS
Exploits1References3
NVD
NVD
added 2026/03/12 7:16 p.m.7 views

CVE-2026-32236

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...

7.5CVSS0.00292EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/06 5:5 a.m.3 views

Improper Validation of Syntactic Correctness of Input

Overview Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via inadequate validation of hostnames in the libsoup client. An attacker can inject malicious HTTP headers by supplying specially crafted URLs, potentially enabling HTTP smuggling o...

5.5CVSS7.3AI score0.00207EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/03/03 12:0 a.m.7 views

Apache Ranger 安全漏洞

Apache Ranger is a set of security measures implemented for Hadoop clusters by the Apache Foundation. This product provides central security policy management to address core enterprise security requirements such as authorization, settlement, and data protection. Apache Ranger versions 2.7.0 and...

5.3CVSS5.8AI score0.00329EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/02/26 10:14 a.m.6 views

CVE-2026-2479

The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.1. This is due to the use of strpos for substring-based hostname validation instead of strict host comparison in the ajaxuploadimage function. This makes i...

5CVSS5.5AI score0.00234EPSS
Exploits0References1
Snyk
Snyk
added 2026/02/25 10:57 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /https route handler. An attacker can access internal network resources and retrieve sensitive information by supplying a crafted domain that resolves to a loopback or private IP address, thereby...

8.7CVSS5.9AI score0.00339EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/25 8:25 a.m.3 views

CVE-2026-2479 Responsive Lightbox & Gallery <= 2.7.1 - Authenticated (Author+) Server-Side Request Forgery via Remote Library Image Upload

The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.1. This is due to the use of strpos for substring-based hostname validation instead of strict host comparison in the ajaxuploadimage function. This makes i...

5CVSS5.5AI score0.00234EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/02/25 8:25 a.m.4 views

CVE-2026-2479

The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.1. This is due to the use of strpos for substring-based hostname validation instead of strict host comparison in the ajaxuploadimage function. This makes i...

5CVSS5.5AI score0.00234EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/02/25 12:0 a.m.9 views

WordPress plugin Responsive Lightbox & Gallery 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

5CVSS5.9AI score0.00234EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/02/11 1:33 a.m.10 views

CVE-2026-25492

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveimagesAsset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

6.5CVSS5.5AI score0.00419EPSS
Exploits1References1
NVD
NVD
added 2026/02/09 8:15 p.m.9 views

CVE-2026-25492

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveimagesAsset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

6.5CVSS0.00419EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/02/09 7:33 p.m.6 views

CVE-2026-25492

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveimagesAsset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

5.3CVSS5.5AI score0.00419EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/09 7:33 p.m.4 views

CVE-2026-25492 Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveimagesAsset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

5.3CVSS5.5AI score0.00419EPSS
Exploits1References3
CVE
CVE
added 2026/02/09 7:33 p.m.15 views

CVE-2026-25492

Craft CMS versions 3.5.0–4.16.17 and 5.0.0-RC1–5.8.21 are affected. The save_images_Asset GraphQL mutation can be abused to fetch internal URLs by supplying a domain resolving to an internal IP, bypassing hostname validation. If a non-image file extension (e.g., .txt) is allowed, downstream image...

6.5CVSS5.5AI score0.00419EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/02/09 7:33 p.m.33 views

CVE-2026-25492 Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveimagesAsset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

5.3CVSS0.00419EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/02/09 12:0 a.m.10 views

PT-2026-7142

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save images Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

5.3CVSS5.5AI score0.00419EPSS
Exploits1References4
Veracode
Veracode
added 2026/02/05 8:36 a.m.6 views

Server-Side Request Forgery (SSRF)

vllm is vulnerable to a Server-Side Request Forgery SSRF. The vulnerability is due to inconsistent URL parsing and hostname validation in the MediaConnector class when processing user-supplied media URLs, which allows an attacker to bypass host restrictions and coerce the vLLM server into making...

7.1CVSS5.7AI score0.00528EPSS
Exploits1References15Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/04 3:15 a.m.6 views

CVE-2026-24932

The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle MitM attack, whi...

8.9CVSS5.5AI score0.00206EPSS
Exploits0References1
EUVD
EUVD
added 2026/02/03 2:19 a.m.6 views

EUVD-2026-5283

The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle MitM attack, whi...

8.9CVSS5.5AI score0.00206EPSS
Exploits0References1
CVE
CVE
added 2026/02/03 2:19 a.m.23 views

CVE-2026-24932

The CVE-2026-24932 issue is an improper TLS/SSL certificate hostname validation in ADM’s DDNS update function. The vulnerability allows a remote attacker to perform a Man‑in‑the‑Middle (MitM) attack over HTTPS, potentially exposing sensitive DDNS updating data such as the user’s email, MD5‑hashed...

8.9CVSS5.5AI score0.00206EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder