OESA-2026-2323 gvfs security update

Gvfs is a userspace virtual filesystem implementation for GIO a library available in GLib. It comes with a set of backends, including trash support, SFTP, SMB, HTTP, DAV, and many others. Gvfs also contains modules for GIO that implement volume monitors and persistent metadata storage. Security...

CVE-2026-34428

Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read...

CVE-2026-24117

A Server-Side Request Forgery SSRF flaw has been discovered in the Rekor transparency log tool. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can...

CVE-2026-24117

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

GHSA-59JP-PJ84-45MR Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass

Security Disclosure: SSRF via MetaIssuer Regex Bypass Summary Fulcio's metaRegex function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. T...

CVE-2026-22772

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.5, Fulcio's metaRegex function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF on...

CVE-2026-22772 Fulcio vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.5, Fulcio's metaRegex function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF on...

CVE-2026-21433

Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band OOB requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http://emblog/admin/media.php which contains external resource references. When the...

python-kdcproxy: Unauthenticated SSRF via Realm‑Controlled DNS SRV

If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request f...

Linux Distros Unpatched Vulnerability : CVE-2025-59088

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS...

EUVD-2017-9248

Malware in sbrugna...

EUVD-2017-15668

Malware in sbrugna...

EUVD-2020-26395

Malware in sbrugna...

EUVD-2025-1780

Malicious code in bioql PyPI...

CVE-2025-10453

CVE-2025-10453 affects O’View MapServer by PilotGaea Technologies. The connected sources confirm a Server-Side Request Forgery (SSRF) vulnerability that can be exploited by unauthenticated remote attackers to probe internal networks. The root cause is SSRF within the MapServer component, enabling...

GHSA-JQX4-9GPQ-RPPM @misskey-dev/summaly allows IP Filter Bypass via Redirect

Summary Due to a validation error in got.scpaping, it is possible to use an HTTP redirect to avoid IP filtering. Details In got.scpaping, Summaly first makes a HTTP HEAD request to the page being summarized. It then preforms private IP address checks on the HEAD response, then makes an additional...

CVE-2025-0584 aEnrich Technology a+HRD - Server-Side Request Forgery (SSRF)

The a+HRD from aEnrich Technology has a Server-side Request Forgery, allowing unauthenticated remote attackers to exploit this vulnerability to probe internal network...

PT-2025-3975 · Aenrich Technology · A+Hrd

Name of the Vulnerable Software and Affected Versions: a+HRD from aEnrich Technology affected versions not specified Description: The issue is a Server-side Request Forgery, which allows unauthenticated remote attackers to exploit it and probe the internal network. Recommendations: At the moment,...

CVE-2024-37164

CVE-2024-37164 affects CVAT up to version 2.14.3. An account-attached SSRF vulnerability allows specifying cloud-storage endpoints with intranet/internals names to probe CVAT’s network and, if a compatible web server exists on that network, possibly create a linked cloud storage and later list, e...

CVE-2024-37164 CVAT SSRF via custom cloud storage endpoints

Computer Vision Annotation Tool CVAT is an interactive video and image annotation tool for computer vision. CVAT allows users to supply custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob Storage. Starting in version 2.1.0 and prior to version 2.14.3, an attacker with a CVAT...