CVE-2026-11346

The CVE-2026-11346 entry concerns a Server-Side Request Forgery (SSRF) in the custom process creation feature of linQI. An authenticated user can craft a process containing an HTTP Request component to force the server to issue arbitrary HTTP requests, enabling internal-network probing by observi...

Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL

CVE Report — Unauthenticated SSRF via Unfiltered Webhook URL in Gotenberg Severity | Field | Value | |-----------|----------------------------------------| | CVSS v3.1 | 8.6 High | | Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | | CWE | CWE-918 — Server-Side Request Forgery | | Auth | None |...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the FilterDeadline function. An attacker can force the application to make arbitrary outbound HTTP POST requests to internal or external destinations by supplying a crafted URL in the...

GHSA-5VH4-RGV7-P9G4 Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL

CVE Report — Unauthenticated SSRF via Unfiltered Webhook URL in Gotenberg Severity | Field | Value | |-----------|----------------------------------------| | CVSS v3.1 | 8.6 High | | Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | | CWE | CWE-918 — Server-Side Request Forgery | | Auth | None |...

Squidex 代码问题漏洞

Squidex is an open-source content management system developed by Squidex. Versions of Squidex prior to 7.23.0 had code vulnerabilities. These vulnerabilities were caused by a server-side request forgeing issue, allowing users with asset upload permissions to force the server to obtain arbitrary...

CVE-2026-40348

Movary contains an authenticated SSRF vulnerability present before version 0.71.1. An ordinary authenticated user can trigger server-side requests by sending a user-controlled URL to POST /settings/jellyfin/server-url-verify, which appends /system/info/public and causes the server to issue a requ...

EUVD-2026-18827

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal.ai media status polling that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL...

CVE-2026-22664

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in the Fal.ai media status polling feature that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack ...

CVE-2026-22664

The CVE-2026-22664 issue affects prompts.chat with an SSRF in Fal.ai media status polling prior to commit 30a8f04. Authenticated users can supply attacker-controlled URLs in the token parameter to trigger arbitrary outbound requests, potentially exposing the FAL_API_KEY in the Authorization heade...

PT-2026-30228

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal.ai media status polling that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL...

CVE-2026-34360 HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname,...

CVE-2026-34360 HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname,...

PT-2026-29317

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts a...

FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing

Summary The /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network...

GHSA-3WW8-JW56-9F5H FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing

Summary The /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network...

FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing

The /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services...

CVE-2026-24117

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

CVE-2026-22772

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.5, Fulcio's metaRegex function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF on...

python-kdcproxy: Unauthenticated SSRF via Realm‑Controlled DNS SRV

If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request f...

python-kdcproxy: Unauthenticated SSRF via Realm‑Controlled DNS SRV

If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request f...