EUVD-2026-16652

WWBN AVideo is an open source video platform. In versions up to and including 26.0, isSSRFSafeURL validates URLs against private/reserved IP ranges before fetching, but urlgetcontents follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by...

Server-Side Request Forgery (SSRF)

mcp-fetch-server is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper private IP validation, which allows an attacker to bypass the validation mechanism and access internal network resources...

PT-2026-20373

Name of the Vulnerable Software and Affected Versions Libredesk versions prior to 1.0.2-0.20260215211005-727213631ce6 Description Libredesk, a self-hosted customer support desk application, is susceptible to a Server-Side Request Forgery SSRF issue in its Webhooks module. An authenticated...

CVE-2026-26019

LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site...

CVE-2025-65513

CVE-2025-65513 affects fetch-mcp v1.0.2 and earlier. The vulnerability is Server-Side Request Forgery (SSRF) that allows bypassing private IP validation to reach internal network resources. Reported root cause involves the is_ip_private logic in fetch-mcp server code (notably in the MCP fetch-ser...

CVE-2021-23718

The package ssrf-agent before 1.0.5 are vulnerable to Server-side Request Forgery SSRF via the defaultIpChecker function. It fails to properly validate if the IP requested is private...

CVE-2021-23718 Server-side Request Forgery (SSRF)

The package ssrf-agent before 1.0.5 are vulnerable to Server-side Request Forgery SSRF via the defaultIpChecker function. It fails to properly validate if the IP requested is private...