GHSA-39J6-4867-GG4W utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

Summary The utcp-http plugin is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registermanual validates the discovery URL against an HTTPS / loopback allowlist, but calltool and calltoolstreaming reuse...

utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

Summary The utcp-http plugin is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registermanual validates the discovery URL against an HTTPS / loopback allowlist, but calltool and calltoolstreaming reuse...

PT-2026-38625

Name of the Vulnerable Software and Affected Versions python-utcp versions prior to 1.1.3 Description The utcp-http plugin is subject to a blind Server-Side Request Forgery SSRF, a flaw where an attacker can induce the server to make requests to an unintended location. This occurs due to a...

Denial Of Service(DoS)

github.com/free5gc/openapi is vulnerable to a denial of service. The vulnerability is due to improper handling in the NudmSubscriberDataManagement API, which allows an attacker to exploit it and cause a denial of service...

quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations

Summary The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected...

io.quarkiverse.docling:quarkus-docling (>=0.0.1 <=0.0.4), io.quarkiverse.docling:quarkus-docling-deployment (>=0.0.1 <=0.0.4) +112 more potentially affected by CVE-2026-42333 via io.quarkiverse.openapi.generator:quarkus-openapi-generator (>=0.10.0 <=2.15.0)

io.quarkiverse.openapi.generator:quarkus-openapi-generator MAVEN version =0.10.0, =0.0.1, =0.0.1, =0.1.0, =2.10.0, =0.4.0, =2.10.0, =2.15.0 - org.apache.kie.sonataflow:sonataflow-addons-quarkus-camel =10.2.0 - org.apache.kie.sonataflow:sonataflow-addons-quarkus-camel-deployment =10.2.0 -...

Incorrect Implementation of Authentication Algorithm

Overview Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm due to the too broad path-template matching in the runtime authentication layer. An attacker can cause sensitive authentication credentials to be sent to unintended endpoints that may...

io.quarkiverse.docling:quarkus-docling (>=0.0.1 <=0.0.4), io.quarkiverse.docling:quarkus-docling-deployment (>=0.0.1 <=0.0.4) +54 more potentially affected by CVE-2026-42333 via io.quarkiverse.openapi.generator:quarkus-openapi-generator (>=2.0.0 <=2.11.0)

io.quarkiverse.openapi.generator:quarkus-openapi-generator MAVEN version =2.0.0, =0.0.1, =0.0.1, =2.0.0, =2.10.0, =2.10.0, =2.11.0-lts - org.apache.kie.sonataflow:sonataflow-addons-quarkus-camel =10.2.0 - org.apache.kie.sonataflow:sonataflow-addons-quarkus-camel-deployment =10.2.0 -...

GHSA-FR8F-RWJX-F32V quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations

Summary The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected...

PT-2026-37202

Name of the Vulnerable Software and Affected Versions Quarkus OpenAPI Generator versions prior to 2.11.1-lts Quarkus OpenAPI Generator versions prior to 2.16.0-lts Quarkus OpenAPI Generator versions prior to 2.17.0 Description The generated authentication filter matches OpenAPI path templates too...

websec-sql-injection

WebSec SQL Injection Учебный backend-проект по безопасности в...

CVE-2026-7604

A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is...

CVE-2026-7604 JeecgBoot OpenApi Service OpenApiController.java OpenApiController.call server-side request forgery

A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is...

CVE-2026-7604

A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is...

CVE-2026-7604 JeecgBoot OpenApi Service OpenApiController.java OpenApiController.call server-side request forgery

A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is...

ai.h2o:sparkling-water-core_2.11 (>=3.46.0.1-1-2.3 <=3.46.0.6-1-2.4), ai.h2o:sparkling-water-core_2.12 (>=3.46.0.1-1-3.0 <=3.46.0.6-1-3.5) +760 more potentially affected by CVE-2026-42778 via org.apache.mina:mina-core (>=2.2.0 <=2.2.6)

org.apache.mina:mina-core MAVEN version =2.2.0, =3.46.0.1-1-2.3, =3.46.0.1-1-3.0, =3.46.0.1-1-2.3, =3.46.0.1-1-3.0, =3.46.0.1-1-2.3, =3.46.0.1-1-3.0, =3.46.0.1-1-2.3, =3.46.0.1-1-3.0, =1.5.4.RELEASE, =0.0.2, =3.0.0, =1.0.9, =1.6.9, =1.2.5, =1.1.7, =1.2.8 and more Source cves: CVE-2026-42778 Sourc...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.7.4) +1788 more potentially affected by CVE-2026-22741 via org.springframework:spring-webmvc (>=7.0.0 <=7.0.6)

org.springframework:spring-webmvc MAVEN version =7.0.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =2.0.0, =2.0.0, =0.1.1, =0.2.0, =0.5.0, =0.7.0, =0.5.0, =0.5.0, =0.7.5 and more Source cves: CVE-2026-22741 Source advisory: OSV:GHSA-WG35-8JPF-2XV3...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.7.4) +1788 more potentially affected by CVE-2026-22745 via org.springframework:spring-webmvc (>=7.0.0 <=7.0.6)

org.springframework:spring-webmvc MAVEN version =7.0.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =2.0.0, =2.0.0, =0.1.1, =0.2.0, =0.5.0, =0.7.0, =0.5.0, =0.5.0, =0.7.5 and more Source cves: CVE-2026-22745 Source advisory: OSV:GHSA-6P4F-WCWH-5VVM...

CVE-2026-7306

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument defaulttok...

CVE-2026-7306

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument defaulttok...