GHSA-PJWM-PJ3P-43MV axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

Summary shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NOPROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form ::ffff:7f00:1, ::ffff:a9fe:a9fe still routes through the...

EUVD-2026-30611

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validateurl in backend/openwebui/retrieval/web/utils.py calls validators.ipv6ip, private=True, but the validators library does NOT implement the private keyword for IPv6 — the call...

MGASA-2026-0115 Updated perl-Net-CIDR-Lite packages fix security vulnerabilities

Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. CVE-2026-40198 Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. CVE-2026-40199...

GHSA-XPCF-PG52-R92G Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Summary ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. Details The middlewar...

CVE-2026-27624

Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "::1" and "::", but IPv4-mapped IPv6 is not...

CVE-2026-26324 OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as 0:0:0:0:0:ffff:7f00:1 which is 127.0.0.1. This could allow requests that should be blocked loopback / private network / link-local metada...

Server-side Request Forgery (SSRF)

Overview is-localhost-ip is a Checks whether given DNS name or IPv4/IPv6 address belongs to a local machine Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the isLocalhost function which misclassifies IP addresses and allows localhost checks to be bypassed...

Fedora 41 : python3.9 (2024-47e4624c89)

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-47e4624c89 advisory. Python 3.9.21 security release. Security content in this release -------------------------------- - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to...

Fedora 41 : python3.11 (2024-01d838d947)

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-01d838d947 advisory. Python 3.11.11 security release. Security content in this release -------------------------------- - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to...

golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

A flaw was found in the Go language standard library net/netip. The method Is IsPrivate, IsPublic, etc doesn't behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to...

QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.

...

ProFTPD 1.x (module mod_tls) Remote Buffer Overflow Exploit

No description provided by source. / Anti-modTLS-0day version 2 ProFTPd .. + modtls remote-root-0day-exploit main advantages of this exploit: 1 No patched modtls versions yet 2 This is a preauthentication bug 3 Bruteforcing option eheheheee main disadvantages: ...

ProFTPD 1.x (module mod_tls) Remote Buffer Overflow Exploit

Exploit for linux platform in category remote exploits =========================================================== ProFTPD 1.x module modtls Remote Buffer Overflow Exploit =========================================================== / Anti-modTLS-0day version 2 ProFTPd .. + modtls...