CVE-2026-45231 DumbAssets 1.0.11 Stored Cross-Site Scripting via Asset Fields

DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or updat...

PT-2026-41718

Name of the Vulnerable Software and Affected Versions DumbAssets versions 1.0 through 1.0.11 Description A stored cross-site scripting issue exists in asset fields, specifically name, description, modelNumber, serialNumber, and tags. These fields are stored without server-side sanitization and...

CVE-2026-33401

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 CVE-2026-30840 added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI...

CVE-2026-33401

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 CVE-2026-30840 added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI...

CVE-2026-33401

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 CVE-2026-30840 added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI...

CVE-2026-30834

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Prior to version 0.7.7, a Server-Side Request Forgery SSRF vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs,...

Ghostfolio 代码问题漏洞

Ghostfolio is an open-source personal wealth management software developed by Ghostfolio. Versions of Ghostfolio prior to 2.245.0 contained code vulnerabilities. These vulnerabilities stemmed from a flaw in the manual asset import function, where a complete read server-side request forgery was...

GitLab 18.0 < 18.6.6 / 18.7 < 18.7.4 / 18.8 < 18.8.4 (CVE-2025-12575)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticate...

CVE-2025-12575

GitLab has remediated an issue in GitLab EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user with certain permissions to make unauthorized requests to internal network services throug...

UBUNTU-CVE-2025-12575

GitLab has remediated an issue in GitLab EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user with certain permissions to make unauthorized requests to internal network services throug...

CVE-2025-65512

A Server-Side Request Forgery SSRF vulnerability was discovered in the webpage-to-markdown conversion feature of markdownify-mcp v0.0.2 and before. This vulnerability allows an attacker to bypass private IP restrictions through hostname-based bypass and HTTP redirect chains, enabling access to...

CVE-2025-65512

Markdownify MCP Server vulnerability CVE-2025-65512 affects markdownify-mcp v0.0.2 and earlier. The flaw is a Server-Side Request Forgery (SSRF) in the webpage-to-markdown conversion feature that can bypass private IP restrictions via hostname-based bypass and HTTP redirect chains, enabling acces...

EUVD-2025-20531

Malicious code in bioql PyPI...

CVE-2025-0292

SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services...

CVE-2024-11822

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery SSRF vulnerability. The vulnerability exists due to improper handling of the apiendpoint parameter, allowing an attacker to make direct requests to internal network services. This can lead to unauthorized access to internal...

CVE-2024-11822 Server-Side Request Forgery (SSRF) in langgenius/dify

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery SSRF vulnerability. The vulnerability exists due to improper handling of the apiendpoint parameter, allowing an attacker to make direct requests to internal network services. This can lead to unauthorized access to internal...

CVE-2022-24669

It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services...

CVE-2022-24669 Anonymous users can register / de-register for configuration change notifications

It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services...

CVE-2022-24669 Anonymous users can register / de-register for configuration change notifications

It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services...

CVE-2016-9185

An information-leak vulnerability was found in the OpenStack Orchestration heat service. Launching a new stack with a local URL resulted in a detailed error message, allowing an authenticated user to conduct network discovery and reveal the details of internal network services...