11 matches found
CVE-2026-33655
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/blo...
CVE-2026-33655
The CVE-2026-33655 issue affects New API prior to version 0.12.0-alpha.1 where SSRF protection did not apply IP filtering to hostnames by default due to ApplyIPFilterForDomain being disabled. Authenticated users could configure notification URLs (Webhook, Bark, Gotify) that resolve to internal or...
CVE-2026-33655
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/blo...
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs
Summary The default SSRF protection configuration did not apply IP filtering to hostnames. With ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address. Authenticated users could configure...
PT-2026-56211
Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.0-alpha.1 Description An issue exists where the default Server-Side Request Forgery SSRF protection configuration fails to apply IP filtering to hostnames. Because the ApplyIPFilterForDomain setting is disabled b...
CVE-2026-33399
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validatewebhookurlforssrf protection was added to the test notification endpoints but not to the...
CVE-2026-33399 Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validatewebhookurlforssrf protection was added to the test notification endpoints but not to the...
CVE-2026-33399 Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validatewebhookurlforssrf protection was added to the test notification endpoints but not to the...
CVE-2026-33399
CVE-2026-33399 / CVE-2026-33401 (Wallos): Open-source personal subscription tracker with SSRF flaws that were partially patched in version 4.7.0. The issues arise from incomplete SSRF mitigation: while 4.6.2 added protection to some notification endpoints, it did not cover all save/test paths, en...
WordPress plugin Tablesome 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blog sites on PHP and MySQL servers. A cross-site scripting vulnerability exists in the...
CVE-2018-13439
The CVE-2018-13439 entry affects WXPayUtil in the WeChat Pay Java SDK, where the WXPayUtil class is vulnerable to XML External Entity (XXE) attacks via a merchant notification URL. The connected documents confirm XXE exploitation risk and describe the underlying issue as improper XML processing t...