15 matches found
CVE-2026-44516
Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers...
WordPress plugin WP EasyPay 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
CVE-2026-42035
A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to...
Server-Side Request Forgery
Indico is vulnerable to Server-Side Request Forgery. The vulnerability is due to Indico making outgoing requests to user-provided URLs in various places, where users can access special targets such as localhost or cloud metadata endpoints, and attackers can exploit this to access sensitive data...
WordPress plugin JobBoard Job listing 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
CVE-2026-25738 Indico has Server-Side Request Forgery (SSRF) in multiple places
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of...
Indico has Server-Side Request Forgery (SSRF) in multiple places
Impact Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality, but of course it is never intended to let you access "special" targets such as localhost or cloud metadata endpoints. Patches You should to update to Indic...
PT-2026-20327
Name of the Vulnerable Software and Affected Versions Indico versions prior to 3.3.10 Description Indico, an event management system, is susceptible to server-side request forgery SSRF. The system makes outgoing requests to URLs provided by users. While this functionality is intentional, it could...
GHSA-M3PM-RPGG-5WJ6 Home Assistant does not correctly validate SSL for outgoing requests in core and used libs
Summary Problem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. Details In the past, aiohttp-session/request had the parameter verifyssl to control SSL certificate verification. This was a boolean value. In...
Improper Removal of Sensitive Information Before Storage or Transfer
Overview OpenTelemetry.Instrumentation.AspNetCore is an ASP.NET Core instrumentation for OpenTelemetry .NET Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to the logging of sensitive query parameters by default. This...
DRUPAL-CORE-2022-006
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has...
Tomcat: CGI sets environmental variable based on user supplied Proxy request header
It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker coul...
HTTPD: sets environmental variable based on user supplied Proxy request header
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could...
HTTPD: sets environmental variable based on user supplied Proxy request header
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could...
USN-3038-1 apache2 vulnerability
It was discovered that the Apache HTTP Server would set the HTTPPROXY environment variable based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this issue in combination with CGI scripts that honour the HTTPPROXY variable to redirect outgoing HTTP...