CVE-2026-39921 GeoNode < 4.4.5, 5.0.2 SSRF via Document Upload

GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the docurl parameter during document upload...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the validateWebhookURL function. An administrator can access internal network resources and cloud metadata endpoints by submitting webhook URLs that use hostnames resolving to private IP addresses,...

EUVD-2026-20596

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREEDOWNLOADFROMURL is enabled opt-in, authenticated users can supply remoteimage URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation against...

CVE-2026-35516

LinkAce CVE-2026-35516 affects LinkAce prior to version 2.5.4. The issue arises because LinkRepository::update and CheckLinksCommand::checkLink do not validate private IPs, allowing an authenticated user to cause server-side requests to internal resources (e.g., AWS IMDSv1, cloud metadata, intern...

PT-2026-23824

Name of the Vulnerable Software and Affected Versions Wallos versions prior to 4.6.2 Description Wallos is a self-hostable personal subscription tracker. Versions prior to 4.6.2 contain a Server-Side Request Forgery SSRF condition in the testwebhooknotifications.php file. The application does not...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the webfetch process. An attacker can access internal resources and sensitive data by exploiting DNS rebinding to bypass URL validation and force the application to connect to private IP addresses...

PT-2026-7722

Name of the Vulnerable Software and Affected Versions LangChain versions prior to 1.1.14 Description The RecursiveUrlLoader class within the @langchain/community component is a web crawler that recursively follows links from a starting URL. The preventOutside option, intended to restrict crawling...

CVE-2025-53081

An 'Arbitrary File Creation' in Samsung DMSData Management Server allows attackers to create arbitrary files in unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses...

BIT-DISCOURSE-2022-39241 Possible Server-Side Request Forgery (SSRF) in webhooks

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...

GHSA-78XJ-CGH5-2H22 NPM IP package incorrectly identifies some private IP addresses as public

The isPublic function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery SSRF if isPublic is used to...

CVE-2023-22813

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS...

Western Digital My Cloud 安全漏洞

Western Digital My Cloud is a personal cloud storage device from Western Digital. A security vulnerability exists in Western Digital My Cloud that stems from a lack of authentication checks on private IPs. An attacker could exploit this vulnerability to obtain information about the device. The...

CVE-2022-39241

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...

CVE-2022-39241 Possible Server-Side Request Forgery (SSRF) in webhooks

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...

Behave - A Monitoring Browser Extension For Pages Acting As Bad Boys

A Still in Development monitoring browser extension for pages acting as bad boys. NB : This is the code repository of the project, if you're looking for the packed extensions: Firefox: https://addons.mozilla.org/en-US/firefox/addon/behave/ Chrome:...

Nexpose Scan Engine on the AWS Marketplace

Rapid7 is excited to announce that you can now find a Nexpose Scan Engine AMI on the Amazon Web Services Marketplace making it simple to deploy a pre-authorized Nexpose Scan Engine from the AWS Marketplace to scan your AWS assets! What is an AMI ? An Amazon Machine Image AMI allows you to launch ...

Supermicro IPMI Password Disclosure

== Product == Tested hardware: Supermicro X8SI6-F mainboard - IPMI firmware: 2.50 Supermicro X9SCL-F mainboard - IPMI firmware: 1.01 Likely affects other Supermicro boards of those generations that use the same type of firmware. == Problem == Modern servers often include a feature called IPMI to...