27 matches found
CVE-2026-58122 Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing
Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to...
CVE-2026-56663
AutoGPT (SendWebRequestBlock) prior to version 0.6.52 is vulnerable to a SSRF-to-RCE chain due to improper normalization of IPv4-mapped IPv6 addresses in _is_ip_blocked(), which fails to block IPv4-mapped addresses and special-use ranges (e.g., 100.64.0.0/10). An authenticated user can bypass pri...
CVE-2026-49979
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses...
pyLoad 安全漏洞
pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev100 contained security vulnerabilities. These vulnerabilities stemmed from the lack of private IP checks based on PREREQFUNCTION being applied to HTTPRequests. Attackers could bypass the isglobalho...
CVE-2026-33234
CVE-2026-33234 affects AutoGPT versions 0.1.0–0.6.51, where SendEmailBlock accepts user-provided smtp_server and smtp_port and passes them to Python’s smtplib.SMTP() without IP address validation. This bypasses hardened SSRF protections (validate_url_host and BLOCKED_IP_NETWORKS) used by other bl...
FreeBSD : mail/mailpit -- multiple vulnerabilities (6e701ad2-4f61-11f1-af6d-10ffe07f9334)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 6e701ad2-4f61-11f1-af6d-10ffe07f9334 advisory. Mailpit author reports: Set a default 50MB per message limit to prevent DoS via unlimited SMTP...
CVE-2026-42345
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith check against a hardcoded list. This check can be bypassed using at least 7 different...
CVE-2026-42345
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith check against a hardcoded list. This check can be bypassed using at least 7 different...
CVE-2026-42345 FastGPT: Cloud metadata endpoint SSRF protection bypass via port specification, IPv6 mapping, hex/decimal IP encoding, and trailing dot
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith check against a hardcoded list. This check can be bypassed using at least 7 different...
CVE-2026-42345
FastGPT (version 4.14.11 and earlier) exposes an SSRF risk in isInternalAddress() (packages/service/common/system/utils.ts) where a fullUrl.startsWith() hardcoded blocklist can be bypassed by at least 7 URL-encoding techniques that resolve to the cloud metadata endpoint. The broader private IP ch...
PT-2026-39208
Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.14.11 Description The isInternalAddress function in packages/service/common/system/utils.ts fails to properly block cloud metadata endpoints. The function uses a fullUrl.startsWith check against a hardcoded list tha...
PT-2026-37221
Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...
PT-2026-31437
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE DOWNLOAD FROM URL is enabled opt-in, authenticated users can supply remote image URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation again...
CVE-2026-33766 AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints
WWBN AVideo is an open source video platform. In versions up to and including 26.0, isSSRFSafeURL validates URLs against private/reserved IP ranges before fetching, but urlgetcontents follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by...
CVE-2026-27479
CVE-2026-27479 affects Wallos versions ≤ 4.6.0, where a SSRF issue arises in the logo/icon URL fetch. The application validates the target URL’s IP, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true) and follows up to 3 redirects, bypassing the initial IP check and enabling access to inter...
CVE-2025-66508
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies TrustedProxies = 0.0.0.0/0, allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls...
EUVD-2006-1257
Malware in sbrugna...
Exploit for Path Traversal in Mikrotik Routeros
This is a PoC exploit for CVE-2018-14847 targeting RouterOS-based routers. The tool, named Meris RouterOS Checker, checks a list of IP addresses to validate if they were infected with Meris. It uses the RouterOS API, SSH, and WinBox to connect to the routers and attempt to exploit the...
Malicious code in ip-checks (npm)
The package ip-checks was found to contain malicious code...
MAL-2025-42014 Malicious code in ip-checks (npm)
The package ip-checks was found to contain malicious code...