Lucene search
K

3450 matches found

EUVD
EUVD
added yesterday11 views

EUVD-2026-36132

Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges...

8.6CVSS6.1AI score0.00269EPSS
Exploits1References2
NVD
NVD
added yesterday6 views

CVE-2026-15619

A weakness has been identified in mosaxiv clawlet up to 0.2.10. The impacted element is the function webfetch of the file tools/toolwebfetch.go of the component IPv4 Handler. This manipulation of the argument url causes server-side request forgery. The attack can be initiated remotely. The exploi...

7.5CVSS0.00252EPSS
Exploits0References6
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-43306

A Server-Side Request Forgery SSRF protection bypass existed in the htmltomarkdown expansion module of misp-modules. The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges...

8.3CVSS6.1AI score0.00239EPSS
Exploits0References2
NVD
NVD
added 2 days ago4 views

CVE-2026-62143

A Server-Side Request Forgery SSRF protection bypass existed in the htmltomarkdown expansion module of misp-modules. The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges...

8.3CVSS0.00239EPSS
Exploits0References1
OSV
OSV
added 2 days ago3 views

CVE-2026-62143 Server-Side Request Forgery protection bypass in misp-modules html_to_markdown via IPv4-mapped IPv6 addresses

A Server-Side Request Forgery SSRF protection bypass existed in the htmltomarkdown expansion module of misp-modules. The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges...

8.3CVSS6.1AI score0.00239EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-62143 Server-Side Request Forgery protection bypass in misp-modules html_to_markdown via IPv4-mapped IPv6 addresses

A Server-Side Request Forgery SSRF protection bypass existed in the htmltomarkdown expansion module of misp-modules. The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges...

8.3CVSS0.00239EPSS
Exploits0References1
NVD
NVD
added 3 days ago7 views

CVE-2026-10666

parseipv4 in subsys/net/ip/utils.c reached via netipaddrparse for strings of the form "a.b.c.d:port" copies the port substring into a fixed 17-byte stack buffer char ipaddrNETIPV4ADDRLEN + 1 using a length of strlen - end - 1, where strlen is the full, unbounded input length and end is only the...

8.1CVSS0.00346EPSS
Exploits0References3
OSV
OSV
added 3 days ago3 views

CVE-2026-10666 Stack buffer overflow in `net_ipaddr_parse()` IPv4 address-with-port parsing in `subsys/net/ip/utils.c`

parseipv4 in subsys/net/ip/utils.c reached via netipaddrparse for strings of the form "a.b.c.d:port" copies the port substring into a fixed 17-byte stack buffer char ipaddrNETIPV4ADDRLEN + 1 using a length of strlen - end - 1, where strlen is the full, unbounded input length and end is only the...

8.1CVSS6.2AI score0.00346EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 3 days ago5 views

CVE-2026-10666 Stack buffer overflow in `net_ipaddr_parse()` IPv4 address-with-port parsing in `subsys/net/ip/utils.c`

parseipv4 in subsys/net/ip/utils.c reached via netipaddrparse for strings of the form "a.b.c.d:port" copies the port substring into a fixed 17-byte stack buffer char ipaddrNETIPV4ADDRLEN + 1 using a length of strlen - end - 1, where strlen is the full, unbounded input length and end is only the...

8.1CVSS6.2AI score0.00346EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 3 days ago4 views

Linux Distros Unpatched Vulnerability : CVE-2026-53450

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is...

7.4CVSS6.1AI score0.00287EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 5 days ago9 views

CVE-2026-53450

A flaw was found in Coturn, an open-source implementation of TURN and STUN servers. An authenticated TURN client can bypass the default loopback protection mechanism by using an IPv4-mapped IPv6 peer address. This allows the client to expose services that are intended to be accessible only from t...

7.4CVSS6AI score0.00287EPSS
Exploits0References5
Cvelist
Cvelist
added last week40 views

CVE-2026-60105 Monsta FTP < 2.14.5 SSRF via IPv4-Mapped IPv6 Address Bypass

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obta...

8.6CVSS0.00308EPSS
Exploits0References3
EUVD
EUVD
added last week8 views

EUVD-2026-42427

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obta...

8.6CVSS5.9AI score0.00308EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.6 views

PT-2026-56613

Name of the Vulnerable Software and Affected Versions Monsta FTP versions prior to 2.14.5 Description An unauthenticated attacker can trigger a server-side request forgery SSRF by bypassing an IP blocklist. The issue occurs in the fetchRemoteFile action due to an incomplete check in the isBlocked...

8.6CVSS5.9AI score0.00308EPSS
Exploits0References9
OSV
OSV
added 2026/07/07 11:46 p.m.7 views

GHSA-VMFC-9982-2M45 Weblate SSRF: outbound URL guard misses some private ranges

Impact Weblate's VCSRESTRICTPRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. Patches https://github.com/WeblateOrg/weblate/pull/19768 Resources The issue wa...

5.9CVSS5.9AI score0.00291EPSS
Exploits0References5
NVD
NVD
added 2026/07/06 8:16 p.m.8 views

CVE-2026-58404

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

6.8CVSS0.00208EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/06 7:16 p.m.37 views

CVE-2026-58404 Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

4.6CVSS0.00208EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2026/07/06 7:16 p.m.6 views

CVE-2026-58404

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

6.8CVSS5.8AI score0.00208EPSS
Exploits0
OSV
OSV
added 2026/07/06 8:48 a.m.7 views

USN-8508-1 linux-nvidia-6.17 vulnerabilities

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - S390 architecture; - Block layer subsystem; - Cryptographic API; - DMA engine subsystem; - GP...

9.8CVSS6.2AI score0.00817EPSS
Exploits9References85
OSV
OSV
added 2026/07/06 5:55 a.m.3 views

BIT-MASTODON-2026-47389 Mastodon: SSRF protection bypass on older Ruby versions

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.privateaddress? returns false for IPv4-mapped IPv6 addresses ::ffff:a.b.c.d corresponding to some private IPv4 addresses,...

8.6CVSS6AI score0.00232EPSS
Exploits0References2
Rows per page
Query Builder