283 matches found
CVE-2026-61646
FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta5, FastGPT's shared SSRF guard validates only the initial request URL before handing the request to axios, and axios follows redirects by default. An authenticated workflow user can configure an HTTP request node to call an...
CVE-2026-45806
Penpot before 2.15.0 vulnerable to authenticated SSRF in remote image import. The flow passes a user-controlled URL from frontend to the backend RPC method create-file-media-object-from-url, where media/download-image uses a shared HTTP client without destination filtering, allowing an authentica...
PT-2026-60102
Name of the Vulnerable Software and Affected Versions Anyquery affected versions not specified Description When operating in server mode, the software does not restrict outbound HTTP requests initiated by built-in SQLite virtual table modules, such as json reader and log reader. Unauthenticated...
CVE-2026-49969 Laravel-Mediable < 7.0.0 SSRF via RemoteUrlAdapter URL Handling
Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource. Attackers can craft URLs targeting...
GHSA-489G-7RXV-6C8Q MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826)
Summary GHSA-7r34-79r5-rcc9's fix added validateurlforssrf, which resolves the attacker-controlled X-Atlassian-Jira,Confluence-Url header host once at middleware time and trusts the result. But the outbound request is later built with the raw hostname and re-resolves at connect time with no IP...
CVE-2026-55671 ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to...
CVE-2026-15378
A flaw was found in the guardrails-detectors component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery SSRF by submitting a specially crafted XML Schema Definition XSD string. This can lead to unauthorized access to sensitive information, including...
EUVD-2026-42858
A flaw was found in the guardrails-detectors component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery SSRF by submitting a specially crafted XML Schema Definition XSD string. This can lead to unauthorized access to sensitive information, including...
PT-2026-57144
Name of the Vulnerable Software and Affected Versions guardrails-detectors affected versions not specified Red Hat Enterprise Linux affected versions not specified Red Hat OpenShift AI affected versions not specified Description A flaw in the guardrails-detectors component allows a remote attacke...
EUVD-2026-42376
Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the filefetch function in the /gradioapi/file= endpoint. Attackers can cra...
CVE-2026-58468
NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin...
CVE-2026-34170
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp apiurl field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a...
EUVD-2026-41997
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp apiurl field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a...
CVE-2026-34170 Coolify: Server-Side Request Forgery via attacker-controlled GitHub App API URL
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp apiurl field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a...
GHSA-794R-5RP2-FPG8 flyto-core has SSRF guard bypass via IPv6 transition addresses (IPv4-mapped / 6to4 / NAT64) in validate_url_ssrf
Summary flyto-core's SSRF protection validateurlssrf / isprivateip in src/core/utils.py blocks private and metadata destinations by resolving the host and testing the resulting IP for membership in a hardcoded PRIVATEIPRANGES list. That list contains only the native RFC 1918 / loopback / link-loc...
CVE-2026-14620 webpack-dev-server vulnerable to cross-site request forgery via internal developer endpoints
webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any websi...
CVE-2026-14620
webpack-dev-server prior to 5.2.6 exposes two internal endpoints (/webpack-dev-server/open-editor and /webpack-dev-server/invalidate) that perform state-changing actions on any GET request without origin verification. This enables cross-origin interactions when a user visits any website while the...
CVE-2026-10055
In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller. Because the...
CVE-2026-10055
In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller. Because the...
CVE-2026-10055
In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller. Because the...