CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 3 days ago•6 views

CVE-2026-49138 Nanobot < 0.2.1 SSRF via web_fetch Tool Redirect Following

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the webfetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the...

5.3CVSS5.8AI score0.00039EPSS

Exploits0References4

CVE•added 3 days ago•14 views

CVE-2026-49138

Nanobot prior to version 0.2.1 contains a server-side request forgery (SSRF) in the web_fetch tool. An attacker can supply a URL that redirects to a loopback or private address via a 3xx Location header, taking advantage of the httpx library’s automatic redirect-follow behavior to bypass initial ...

5.3CVSS5.8AI score0.00039EPSS

Exploits0References4

ATTACKERKB•added 3 days ago•7 views

CVE-2026-49138

5.3CVSS5.8AI score0.00039EPSS

OSV•added 3 days ago•3 views

BIT-KIBANA-2026-49093 Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

Server-Side Request Forgery CWE-918 in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block...

OSV•added 3 days ago•4 views

BIT-ELK-2026-49093 Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

OSV•added 3 days ago•5 views

BIT-ELK-2026-42398 Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

Server-Side Request Forgery CWE-918 in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations...

NVD•added 3 days ago•9 views

CVE-2026-49328

Server-Side Request Forgery SSRF in the UrlImageConverter component of Apache Fesod Incubating fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to...

5.3CVSS0.0013EPSS

ATTACKERKB•added 3 days ago•5 views

CVE-2026-49328

5.8AI score0.0013EPSS

EUVD•added 3 days ago•8 views

EUVD-2026-33622

5.3CVSS5.8AI score0.0013EPSS

Exploits0References4

Packet Storm News•added 3 days ago•4 views

DMonitor 1.0.3 Outbound Connection / Port Configuration Auditor

This Python script is an outbound connection and port configuration auditor for DMonitor version 1.0.3...

5.8AI score

Exploits0

Positive Technologies•added 3 days ago•8 views

PT-2026-45399

Name of the Vulnerable Software and Affected Versions Apache Fesod Incubating fesod-sheet versions prior to 2.0.2-incubating Description Server-Side Request Forgery SSRF in the UrlImageConverter component allows attackers to trigger outbound network requests to internal or restricted resources by...

5.3CVSS5.8AI score0.0013EPSS

Exploits0References9

CNNVD•added 3 days ago•3 views

Apache Fesod security vulnerabilities

Apache Fesod is a high-performance spreadsheet file reading and writing library developed by the Apache Foundation in the United States. Versions of Apache Fesod prior to 2.0.2-incubating contained security vulnerabilities. These vulnerabilities were caused by a request forgeing issue in the...

5.3CVSS5.8AI score0.0013EPSS

Positive Technologies•added 3 days ago•7 views

PT-2026-45353

A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured opt-in, not enforced by default, an unauthenticated attacker can submit a manifest with...

5.8CVSS5.7AI score0.00035EPSS

RedhatCVE•added 6 days ago•7 views

CVE-2026-49093

RedhatCVE•added 6 days ago•8 views

CVE-2026-42398

RedhatCVE•added 6 days ago•6 views

CVE-2026-42401

Improper Neutralization of Input During Web Page Generation CWE-79 in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently...

5.4CVSS5.8AI score0.00023EPSS

RedhatCVE•added 6 days ago•5 views

CVE-2026-5065

IBM Controller 11.0.1, 11.1.0, 11.1.1, and 11.1.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data...

8.8CVSS5.8AI score0.00038EPSS

OSV•added 6 days ago•1 views

GHSA-WJJV-3MJ2-39HF AgenticMail API/storage and outbound relay hardening fixes

The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct...

5.8AI score

Exploits0References8

NVD•added 6 days ago•6 views

CVE-2026-46372

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it...

8.5CVSS0.02589EPSS