18 matches found
CVE-2026-42260
Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF wit...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to incorrect parse function values in net/url (CVE-2025-47912)
Summary IBM Watson Speech Services Cartridge is vulnerable to a condition in net/url that allows incorrect parse function values other than IPv6 addresses to be included in square brackets within the host component of a URL CVE-2025-47912, Net/url is used in our speech-utilities. This...
CVE-2026-39361
OpenObserve (cloud-native observability platform)
Important: cni-plugins
Issue Overview: net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed withi...
Important: cri-tools
Issue Overview: net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed withi...
Amazon Linux 2 : oci-add-hooks, --advisory ALAS2ECS-2025-080 (ALASECS-2025-080)
The version of oci-add-hooks installed on the remote host is prior to 0-0.5.20200504git325a340. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2025-080 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values...
Amazon Linux 2023 : docker (ALAS2023-2025-1274)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1274 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL...
Amazon Linux 2 : containerd, --advisory ALAS2DOCKER-2025-082 (ALASDOCKER-2025-082)
The version of containerd installed on the remote host is prior to 2.1.4-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2025-082 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6...
Amazon Linux 2 : amazon-cloudwatch-agent, --advisory ALAS2-2025-3068 (ALAS-2025-3068)
The version of amazon-cloudwatch-agent installed on the remote host is prior to 1.300060.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-3068 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values othe...
Amazon Linux 2 : containerd, --advisory ALAS2ECS-2025-079 (ALASECS-2025-079)
The version of containerd installed on the remote host is prior to 2.1.4-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2025-079 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6...
CVE-2025-47912
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses and hostnames mus...
Amazon Linux 2 : runc, --advisory ALAS2ECS-2025-077 (ALASECS-2025-077)
The version of runc installed on the remote host is prior to 1.3.2-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2ECS-2025-077 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number...
CVE-2025-47912
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses and hostnames mus...
CVE-2025-47912
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses and hostnames mus...
UBUNTU-CVE-2025-47912
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses and hostnames mus...
GO-2025-4010 Insufficient validation of bracketed IPv6 hostnames in net/url
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses and hostnames mus...
Important: golang
Issue Overview: net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed withi...
Medium: python3.9
Issue Overview: The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could...