Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient

Description Symfony\Component\HttpClient\NoPrivateNetworkHttpClient is documented as a decorator that blocks requests to private networks by default. The list of blocked subnets Symfony\Component\HttpFoundation\IpUtils::PRIVATESUBNETS on 6.4+, a private constant in NoPrivateNetworkHttpClient on 5...

tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template

Summary The assertPath guard added to [email protected] rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value Array, Buffer, or any object whose includes'..' returns falsy but whose stringification still contains ../...

CVE-2026-42932

Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can be enumerated...

CVE-2026-42932

The CVE-2026-42932 entry concerns the Naxclow IoT Platform where identifier generation uses fixed manufacturing prefixes with sequential counters, creating a fully predictable and enumerable identifier space. An exposed endpoint reveals the current identifier high-water mark, enabling enumeration...

EUVD-2026-36532

Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can be enumerated...

PT-2026-48952

Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can be enumerated...

Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/ via app.Usepprof.New in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any...

PT-2026-48807

Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/ via app.Usepprof.New in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any...

CVE-2026-41731

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

JLSEC-2026-582 xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion...

xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes...

CVE-2026-8450

A flaw was found in HTTP::Daemon, a Perl module used for creating HTTP servers. A remote attacker can exploit this vulnerability by providing specially crafted input to the sendfile function, leading to OS command injection. This allows the attacker to execute arbitrary commands on the system wit...

CVE-2026-44589

Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl denylist introduced in [email protected] to remediate GHSA-pqhr-mp3f-hrpp Dmitry Prokhorov / Positive Technologies, March 2026 is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validatio...

CVE-2026-6342

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID:...

CVE-2026-42885

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith to validate that a resolved file path is within a library folder. This check fails for sibling directories whose names share a common prefix e.g.,...

netty-incubator-codec-ohttp 安全漏洞

netty-incubator-codec-ohttp is an application developed by the Netty community. Versions prior to 0.0.22.Final of netty-incubator-codec-ohttp contain security vulnerabilities. These vulnerabilities stem from the codec-ohttp implementation, which does not verify whether a final block with a...

Cpanel::JSON::XS 安全漏洞

Cpanel::JSON::XS is a tool developed by RURBAN personal developers that converts Perl data structures into JSON format. Versions of Cpanel::JSON::XS prior to version 4.41 contained security vulnerabilities. These vulnerabilities stemmed from exceptions thrown during the decoding filter callback,...

Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes

Summary IsPublicIP in pkg/gotenberg/outbound.go incorrectly classifies IPv6 6to4 / NAT64 / deprecated site-local addresses as public IPs, allowing an unauthenticated attacker to reach internal destinations e.g., cloud metadata services at 169.254.169.254 via a single crafted DNS AAAA record. This...

CVE-2026-8450

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...

CVE-2026-8450

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...

UBUNTU-CVE-2026-8450

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...