Lucene search
K

26 matches found

NVD
NVD
added 3 days ago7 views

CVE-2026-50188

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request, Remote::get, and Remote::post, to send outgoing HTTP requests with untrusted data in the headers option could allow newline characters...

6.9CVSS0.0029EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/01 11:9 a.m.6 views

axios: Axios: Arbitrary HTTP header injection via prototype pollution

A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to...

7.4CVSS6.9AI score0.00394EPSS
Exploits1References5
Snyk
Snyk
added 2026/06/18 1:1 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the processing of user-supplied URLs in outgoing HTTP components, including notification channels, OIDC backchannel logout, and SAML metadata fetches. An attacker can access internal network resources...

4.2CVSS6AI score0.00252EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 1:1 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the processing of user-supplied URLs in outgoing HTTP components, including notification channels, OIDC backchannel logout, and SAML metadata fetches. An attacker can access internal network resources...

4.2CVSS6AI score0.00252EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.13 views

PT-2026-50722

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Kirby sites and plugins using the KirbyHttpRemote class, including the functions Remote::request, Remote::get, and Remote::post, are susceptible to HTTP header injection...

6.9CVSS6AI score0.0029EPSS
Exploits0References8
NVD
NVD
added 2026/06/11 2:16 p.m.14 views

CVE-2026-53723

Guzzle Services provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, serialize requests, and parse responses into easy to use model structures. Versions prior ro 1.5.4 do not safely serialize scalar XML element values containing...

5.8CVSS0.00219EPSS
Exploits0References1
OSV
OSV
added 2026/06/11 1:5 p.m.8 views

GHSA-Q8R6-5HFW-5JFF guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator

Impact guzzlehttp/guzzle-services does not safely serialize scalar XML element values containing the CDATA terminator . The XML request serializer writes values containing , or & with XMLWriter::writeCData$value. If attacker-controlled input contains , the CDATA section closes early and the...

5.8CVSS5.4AI score0.00219EPSS
Exploits0References3
CVE
CVE
added 2026/06/11 12:42 p.m.47 views

CVE-2026-53723

Guzzle Services (guzzlehttp/guzzle-services) contains an XML request serialization flaw in versions before 1.5.4 where scalar XML element values may include the CDATA terminator ]]>, causing the CDATA to end early and injecting XML markup into outgoing requests. This is an outgoing request‑bod...

5.8CVSS5.4AI score0.00219EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 12:42 p.m.10 views

CVE-2026-53723 guzzlehttp/guzzle-services' XML Request Serialization Vulnerable to XML Injection via CDATA Terminator

Guzzle Services provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, serialize requests, and parse responses into easy to use model structures. Versions prior ro 1.5.4 do not safely serialize scalar XML element values containing...

5.8CVSS5.4AI score0.00219EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.19 views

PT-2026-48666

Guzzle Services provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, serialize requests, and parse responses into easy to use model structures. Versions prior ro 1.5.4 do not safely serialize scalar XML element values containing...

5.8CVSS5.4AI score0.00219EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/06/10 3:39 p.m.8 views

axios: Axios: Arbitrary HTTP header injection via prototype pollution

A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to...

7.4CVSS7.7AI score0.00394EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.9 views

CVE-2026-44516

Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers...

7.6CVSS5.8AI score0.002EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.11 views

WordPress plugin WP EasyPay 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

5.3CVSS5.8AI score0.00197EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/28 2:27 p.m.12 views

CVE-2026-42035

A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to...

7.4CVSS5.3AI score0.00394EPSS
Exploits1References4
Veracode
Veracode
added 2026/02/21 5:7 a.m.9 views

Server-Side Request Forgery

Indico is vulnerable to Server-Side Request Forgery. The vulnerability is due to Indico making outgoing requests to user-provided URLs in various places, where users can access special targets such as localhost or cloud metadata endpoints, and attackers can exploit this to access sensitive data...

6.9CVSS5.7AI score0.00189EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/02/20 12:0 a.m.7 views

WordPress plugin JobBoard Job listing 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

5.9CVSS5.8AI score0.00309EPSS
Exploits0References1
OSV
OSV
added 2026/02/19 3:30 p.m.5 views

CVE-2026-25738 Indico has Server-Side Request Forgery (SSRF) in multiple places

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of...

6.9CVSS5.7AI score0.00189EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/02/17 6:53 p.m.6 views

Indico has Server-Side Request Forgery (SSRF) in multiple places

Impact Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality, but of course it is never intended to let you access "special" targets such as localhost or cloud metadata endpoints. Patches You should to update to Indic...

6.9CVSS5.7AI score0.00189EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/17 12:0 a.m.5 views

PT-2026-20327

Name of the Vulnerable Software and Affected Versions Indico versions prior to 3.3.10 Description Indico, an event management system, is susceptible to server-side request forgery SSRF. The system makes outgoing requests to URLs provided by users. While this functionality is intentional, it could...

6.9CVSS5.5AI score0.00189EPSS
Exploits0References10
OSV
OSV
added 2025/02/18 7:25 p.m.3 views

GHSA-M3PM-RPGG-5WJ6 Home Assistant does not correctly validate SSL for outgoing requests in core and used libs

Summary Problem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. Details In the past, aiohttp-session/request had the parameter verifyssl to control SSL certificate verification. This was a boolean value. In...

7CVSS6AI score0.00229EPSS
Exploits0References4
Rows per page
Query Builder