Lucene search
K

6 matches found

CVE
CVE
added 4 days ago6 views

CVE-2026-49213

TypeBot prior to version 3.17.2 contains an SSRF protection bypass in the shared validator (packages/lib/src/ssrf/validateHttpReqUrl.ts). The validator allows the IPv6 unspecified address :: (and its expanded form) to bypass local, metadata, and private range checks, enabling a workspace editor/c...

8.1CVSS6.1AI score0.00319EPSS
Exploits0References4
OSV
OSV
added 4 days ago3 views

CVE-2026-49213 TypeBot: SSRF protection bypass via IPv6 unspecified address in Typebot HTTP request execution

TypeBot is a chatbot builder tool. Prior to 3.17.2, Typebot's shared SSRF validator in packages/lib/src/ssrf/validateHttpReqUrl.ts can be bypassed with the IPv6 unspecified address :: because validateIPAddress blocks local, metadata, and private ranges but does not block :: or its expanded form. ...

8.1CVSS6.1AI score0.00319EPSS
Exploits0References6
OSV
OSV
added 2026/07/06 5:55 a.m.4 views

BIT-MASTODON-2026-46348 Mastodon: SSRF Bypass via IPv6 Unspecified Address (::)

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make...

8.7CVSS6AI score0.00337EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 7:39 p.m.33 views

CVE-2026-46348

CVE-2026-46348 affects Mastodon servers prior to 4.5.10, 4.4.17, and 4.3.23. The issue stems from the disallowed IP range list lacking an IPv6 unspecified address (::), allowing an attacker to induce HTTP requests to loopback interfaces and potentially access private resources and services. Impac...

8.7CVSS5.9AI score0.00337EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/16 9:0 p.m.12 views

Crawl4AI: SSRF filter bypass in Docker server via IPv6 transition forms (NAT64 / 6to4 / unspecified / v4-mapped)

Summary The Docker API server's SSRF protection validatewebhookurl / validateurldestination in deploy/docker/utils.py used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach internal services and cloud metadata endpoints e.g. 169.254.169.254 despite...

7.5CVSS5.5AI score0.00267EPSS
Exploits0References2Affected Software1
Anthropic
Anthropic
added 2026/03/30 11:19 p.m.58 views

ANT-2026-6DSMTXZ8 · mastodon · SSRF

ssrf high GHSA-crr4-7rm4-8gpw Severity Claude high · Security research firm high · Maintainer unknown Discovered by Claude Mythos Preview REPORT Anthropic's analysis, sealed at approval. Disclosure to the maintainer was performed by Doyensec. ANT-2026-6DSMTXZ8: SSRF Bypass via IPv6 Unspecified...

5.9AI score
Exploits0
Rows per page
Query Builder