84 matches found
Apache Neethi: Apache Neethi: Information disclosure and network access bypass via PolicyReference API
A flaw was found in Apache Neethi. When an application explicitly calls the PolicyReference API to retrieve a policy from a remote Uniform Resource Identifier URI, Apache Neethi does not impose restrictions on the URI. This allows a remote attacker to cause the application to make outbound reques...
CVE-2026-45182
GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let systemserver transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" a...
CVE-2026-45182
GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let systemserver transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" a...
CVE-2026-42194
CVE-2026-32812 affects Admidio’s SSO Metadata endpoint (modules/sso/fetch_metadata.php). Versions 5.0.0–5.0.6 allow SSRF and local file reads because the code passes an arbitrary URL directly to file_get_contents() after validating the URL with FILTER_VALIDATE_URL, enabling abuse via various sche...
kube-router: GoBGP gRPC Admin Port Exposed on Node Primary IP Without Authentication, Allowing Cluster-Wide BGP Route Injection
Summary When the kube-router routing controller starts --run-router, it binds the GoBGP gRPC management server to the node's primary IP e.g., 192.168.1.10:50051 in addition to 127.0.0.1:50051. The default admin port is 50051 and the server is enabled by default with no TLS and no authentication...
GHSA-HCJJ-CHVW-FMW9 Admidio has an incomplete fix for CVE-2026-32812 (SSRF)
Summary The incomplete SSRF fix in Admidio's fetchmetadata.php validates the resolved IP address but passes the original hostname-based URL to curlinit, leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. Affected Package - Ecosystem: Other - Package: admidio -...
Admidio has an incomplete fix for CVE-2026-32812 (SSRF)
Summary The incomplete SSRF fix in Admidio's fetchmetadata.php validates the resolved IP address but passes the original hostname-based URL to curlinit, leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. Affected Package - Ecosystem: Other - Package: admidio -...
CVE-2026-35516
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services AWS IMDSv1, cloud metadata, internal APIs by creating a link with a publ...
PT-2026-30864
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services AWS IMDSv1, cloud metadata, internal APIs by creating a link with a publ...
CVE-2026-27808 Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API
Mailpit is an email testing tool and API for developers. Prior to version 1.29.2, the Link Check API /api/v1/message/ID/link-check is vulnerable to Server-Side Request Forgery SSRF. The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering...
CVE-2025-61639 Suppressed blocked IP is visible in Special:BlockList, RC, and other places
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This...
Exploit for CVE-2025-45955
CVE-2025-45955 🕳️ Server-Side Request Forgery in DonWeb Ferozo...
CVE-2025-36112
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized user...
CVE-2025-62699 Special:Translate tool does not use the correct IP and User-Agent in the CheckUser tool
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - Translate Extension allows Footprinting. Translate extension appears to use jobs to make edits to translation pages. This causes the CheckUser tool to log the wrong IP and User-Agent...
CVE-2025-62699
The CVE-2025-62699 issue affects the Wikimedia Foundation MediaWiki Translate Extension (master before 1.39). The root cause is the Translate Extension’s use of jobs to edit translation pages, which causes the CheckUser tool to log the wrong IP and User-Agent, making these edits un-auditable. Thi...
EUVD-2014-8669
Malware in sbrugna...
EUVD-2002-0206
Malware in sbrugna...
EUVD-2017-7826
Malware in sbrugna...
EUVD-2019-6662
Malware in sbrugna...
EUVD-2002-2324
Malware in sbrugna...