CVE-2026-8606 Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint

A Server-Side Request Forgery SSRF vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and...

CVE-2026-8606

A Server-Side Request Forgery (SSRF) in GitHub Enterprise Server was exposed via the security advisories package lookup endpoint, allowing an attacker to issue HTTP requests to internal services. By directing requests to an internal management service and measuring response timing, an attacker co...

CVE-2026-41195 mosparo: Rule package source URL stored SSRF enables internal HTTP probing

mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and...

CVE-2026-41195 mosparo: Rule package source URL stored SSRF enables internal HTTP probing

mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and...

mosparo 代码问题漏洞

Mosparo is a modern spam protection software developed under open source. Versions of Mosparo prior to 1.4.13 had code vulnerabilities. These vulnerabilities stemmed from the automatic rule package source URL feature, which allowed project members with editor roles to store URLs controlled by...

CVE-2026-34160

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS Package Exchange Notification Services plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetche...

CVE-2022-41497

ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery SSRF via the pkgurl parameter at /manager/index.php...

lockfile-lint-api Vulnerable to Incorrect Behavior Order

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

CVE-2025-4759 affects the lockfile-lint-api package. The root cause is an incorrect behavior order in URL validation (the resolved attribute) that can be bypassed by extending the package name, allowing installation of other npm packages beyond the intended one. Reported impact includes potential...

PT-2025-21607 · Npm · Lockfile-Lint-Api

Name of the Vulnerable Software and Affected Versions: lockfile-lint-api versions prior to 5.9.2 Description: The issue concerns incorrect behavior order, specifically early validation, via the resolved attribute of the package URL validation. This can be bypassed by extending the package name,...

Incorrect Behavior Order: Early Validation

Overview lockfile-lint-api is a Lint an npm or yarn lockfile to analyze and detect issues Affected versions of this package are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name...

CVE-2025-1211

CVE-2025-1211 affects hackney releases before 1.21.0. The root cause is improper URL parsing by the URI module and hackey, leading to SSRF when a URL like http://[email protected]/ is parsed so that the host differs between the parsing function and hackney. This can enable an attacker to misro...

EulerOS 2.0 SP9 : python-setuptools (EulerOS-SA-2024-2837)

According to the versions of the python-setuptools packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A vulnerability in the packageindex module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download...

ClipperCMS 代码问题漏洞

ClipperCMS is a content management system CMS from the ClipperCMS team. A security vulnerability exists in ClipperCMS version 1.3.3, which stems from the inclusion of server-side request forgery SSRF via the pkgurl parameter in /manager/index.php...

SUSE-SU-2022:2568-1 Security update for SUSE Manager Server 4.2

This update fixes the following issues: apache-commons-csv: - Fix the URL for the package - Declare the LICENSE file as license and not doc apache-commons-math3: - Fix the URL for the package - Declare the LICENSE file as license and not doc drools: - Declare the LICENSE file as license and not d...

Code injection

All versions of package url-regex are vulnerable to Regular Expression Denial of Service ReDoS which can cause the CPU usage to crash...

CVE-2022-25839

The package url-js before 2.1.0 are vulnerable to Improper Input Validation due to improper parsing, which makes it is possible for the hostname to be spoofed. http://\\\\localhost and http://localhost are the same URL. However, the hostname is not parsed as localhost, and the backslash is...