CVE-2026-45548

Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetchfileUrl directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticated...

CVE-2026-45548

The CVE-2026-45548 entries describe a Server-Side Request Forgery (SSRF) in Budibase where processUrlFile (AI Extract File step) calls fetch(fileUrl) without the IP blacklist, bypassing protections used by other automation steps. This allowed an authenticated builder to trigger server-side reques...

CVE-2026-45548 Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation

Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetchfileUrl directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticated...

EUVD-2026-32603

Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration packages/server/src/integrations/rest.ts follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services cloud metadata, databases by redirecti...

EUVD-2026-32586

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration

Summary The REST datasource integration follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services cloud metadata, databases by redirecting through an attacker-controlled server. The same vulnerability class was already patched in...

GHSA-FGQV-JH4G-PVG2 Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration

Summary The REST datasource integration follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services cloud metadata, databases by redirecting through an attacker-controlled server. The same vulnerability class was already patched in...

GHSA-RPJ4-7X2V-WJRF Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetchfileUrl directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticate...

PT-2026-41394

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.34.8 Description An authenticated user can trigger server-side requests to internal network addresses. This occurs because the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses...

CVE-2026-31818

Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery SSRF vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism IP blacklist is rendered completely ineffective because the BLACKLISTIPS environment...

EUVD-2015-1115

Malware in sbrugna...

EUVD-2022-45535

Malicious code in bioql PyPI...

EUVD-2022-46463

Malicious code in bioql PyPI...

CVE-2015-10105

A vulnerability, which was classified as critical, was found in IP Blacklist Cloud Plugin up to 3.42 on WordPress. This affects the function validjsidentifier of the file ipblacklistcloud.php of the component CSV File Import. The manipulation of the argument filename leads to path traversal. It i...

CVE-2025-29512

Cross-Site Scripting XSS vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database...

CVE-2025-29512

The CVE-2025-29512 entry concerns NodeBB before 4.0.5, where a Cross-Site Scripting (XSS) flaw in the application enables a remote attacker to store arbitrary code. The vulnerability affects v4.0.4 and earlier; impact includes potential disruption of the blacklist IP feature until content is remo...

CVE-2024-30522 WordPress Newsletter plugin <= 8.2.0 - IP Blacklist Bypass vulnerability

Authentication Bypass by Spoofing vulnerability in Stefano Lissa & The Newsletter Team Newsletter allows Functionality Bypass.This issue affects Newsletter: from n/a through 8.2.0...

CVE-2024-30522 WordPress Newsletter plugin <= 8.2.0 - IP Blacklist Bypass vulnerability

Authentication Bypass by Spoofing vulnerability in Stefano Lissa & The Newsletter Team Newsletter allows Functionality Bypass.This issue affects Newsletter: from n/a through 8.2.0...

Saints Turned Evil

Saints Turned Evil By Daksh Kapur and Rohan Shah · January 2, 2024 This blog was also written by Sushant Kumar Arya Attribution at the Bottom As technology advances, attackers are constantly developing new evasion mechanisms to bypass security products and stay one step ahead of security vendors...

CVE-2023-32683

Synapse (Python, Twisted) contains a vulnerability CVE-2023-32683 where a discovered oEmbed or image URL can bypass the url_preview_url_blacklist, potentially enabling server-side request forgery or bypassing network policies. The impact is constrained to IPs allowed by url_preview_ip_range_black...