vLLM 代码问题漏洞

vLLM is an open-source solution designed for LLM-based models, featuring high throughput and memory-efficient reasoning and service engines. Versions of vLLM prior to 0.16.0 to 0.19.0 contained code vulnerabilities. These vulnerabilities stemmed from a lack of URL validation in the...

PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

Summary passthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is...

GHSA-89V5-38XR-9M4J Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader

Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...

CVE-2026-32255

Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch server-side, and returns the...

0xRACER 输入验证错误漏洞

0xRACER is a new team-based pool lottery game. 0xRACER is vulnerable to an input validation error stemming from a lack of target address validation in the destroycontract function of 0xRACER version 1.0, which could be exploited by an attacker to steal a token from a victim user via a carefully...