pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API

Summary The SSRF mitigation added in commit 33c55da for GHSA-7gvf-3w72-p2pg is incomplete. The PREREQFUNCTION-based private IP check was correctly applied to HTTPChunk download path but not to HTTPRequest used by the parseurls API. An authenticated attacker can supply a URL pointing to an...

Playwright Capture 代码问题漏洞

Playwright Capture is an open-source web capture tool based on Playwright developed by Lookyloo. Versions of Playwright Capture prior to 1.39.6 contained code vulnerabilities. These vulnerabilities stemmed from insufficient restrictions on navigation and resource requests initiated by rendered...

CVE-2026-35516

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services AWS IMDSv1, cloud metadata, internal APIs by creating a link with a publ...

CVE-2026-39843

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address ...

CVE-2026-35516 LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services AWS IMDSv1, cloud metadata, internal APIs by creating a link with a publ...

EUVD-2026-10875

LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL LinkRepository::create calls HtmlMeta::getFromUrl. The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-si...

CVE-2026-27023 Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs e.g., webhook endpoints, image URLs could bypass...

PT-2026-23479

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs e.g., webhook endpoints, image URLs could bypass...

DaaS - Create machine catalog using private storage endpoints on Azure

Create a secure environment in Azure by forcing all storage traffic through Private IPs. With this the Azure Storage Endpoint gets a Private IP assigned, and the Hosting Connection traffic cannot go through the public internet; all traffic needs to go through a Private IP...

@0xvaibhav/--core (>=1.0.0 <=1.0.4), @0xvaibhav/divergent-node (>=0.0.1 <=0.0.3) +783 more potentially affected by CVE-2025-8020 via private-ip (>=1.0.5 <=3.0.2)

private-ip NPM version =1.0.5, =1.0.0, =0.0.1, =1.0.3, =0.0.1, =0.0.2, =9.3.0, =1.16.47, =1.16.47, =1.1.12, =1.16.33-beta-20241028-005826-60afb7c4, =1.16.47, =1.0.0, =1.16.47, =1.0.0, =1.0.35, =1.3.1 and more Source cves: CVE-2025-8020 Source advisory: SNYK:JS-PRIVATEIP-9510757...

CVE-2022-36785

D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. The window.location.href = http://192.168.1.1/setupWizard.asp" http://192.168.1.1/setupWizard.asp" ; "admin" – contains defaul...

GHSA-4JCV-VP96-94XR MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding

Summary DNS rebinding is a method of manipulating resolution of domain names to let the initial DNS query hits an address and the second hits another one. For instance the host make-190.119.176.200-rebind-127.0.0.1-rr.1u.ms would be initially resolved to 190.119.176.200 and the next DNS issue to...

USN-6941-1: Python vulnerability

It was discovered that the Python ipaddress module contained incorrect information about which IP address ranges were considered “private” or “globally reachable”. This could possibly result in applications applying incorrect security policies...

PT-2024-23864

Name of the Vulnerable Software and Affected Versions Fides versions 2.19.0 through 2.39.2rc0 Description A vulnerability in Fides allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of the SERVER SIDE FIDES API URL server-side...

VulnCheck KEV: CVE-2024-31223

Fides is an open-source privacy engineering platform, and SERVERSIDEFIDESAPIURL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP...

USN-6643-1: NPM IP vulnerability

Emre Durmaz discovered that NPM IP package incorrectly distinguished between private and public IP addresses. A remote attacker could possibly use this issue to perform Server-Side Request Forgery SSRF attacks...

NPM IP package incorrectly identifies some private IP addresses as public

The isPublic function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery SSRF if isPublic is used to...

Authorization

D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. The window.location.href = http://192.168.1.1/setupWizard.asp" http://192.168.1.1/setupWizard.asp" ; "admin" – contains defaul...

Metasploit Weekly Wrap-Up

Capture Plugin Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the auxiliary/server/capture. Users can start and configure each of these modules individually,...

Server-Side Request Forgery (SSRF) in chocobozzz/peertube

Description First of all, Thanks to my friend Haxatron for his excellent report I read the fix commit, and I found out that the code only Checked the IP addresses and didn't check the domain names that refer to a private IP address Steps to reproduce first, set up a local server at 127.0.0.2:8000...