22 matches found
CVE-2026-43929 ssrfcheck: Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
ssrfcheck is a library that checks if a string contains a potential SSRF attack. In 1.3.0 and earlier, ssrfcheck fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address e.g. http://::ffff:127.0.0.1/. The WHATWG URL parser bui...
GHSA-FHQ3-2GF3-8F3J misp-modules has nsafe remote resource fetching in expansion
An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTPS URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally...
CVE-2026-34443
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, checkIpByMask in app/Misc/Helper.php checks whether the input IP contains a / character. Plain IP addresses never contain /, so the function always returns false without checking any CIDR...
CVE-2026-34443
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, checkIpByMask in app/Misc/Helper.php checks whether the input IP contains a / character. Plain IP addresses never contain /, so the function always returns false without checking any CIDR...
CVE-2026-34443 FreeScout: SSRF protection bypass via broken CIDR check in checkIpByMask()
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, checkIpByMask in app/Misc/Helper.php checks whether the input IP contains a / character. Plain IP addresses never contain /, so the function always returns false without checking any CIDR...
PT-2026-29375
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, checkIpByMask in app/Misc/Helper.php checks whether the input IP contains a / character. Plain IP addresses never contain /, so the function always returns false without checking any CIDR...
CVE-2026-33766
WWBN AVideo is an open source video platform. In versions up to and including 26.0, isSSRFSafeURL validates URLs against private/reserved IP ranges before fetching, but urlgetcontents follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by...
MiracleLinux 8 : python3-3.6.8-67.el8_10.ML.1 (AXSA:2024-8859:05)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-8859:05 advisory. python: incorrect IPv4 and IPv6 private ranges CVE-2024-4032 cpython: python: email module doesn't properly quotes newlines in email headers, allowi...
MiracleLinux 8 : python3.11-3.11.9-7.el8_10 (AXSA:2024-8834:23)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-8834:23 advisory. python: incorrect IPv4 and IPv6 private ranges CVE-2024-4032 cpython: python: email module doesn't properly quotes newlines in email headers, allowi...
MiracleLinux 8 : python39:3.9 and python39-devel:3.9 (AXSA:2024-8745:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-8745:01 advisory. python: incorrect IPv4 and IPv6 private ranges CVE-2024-4032 pypa/setuptools: Remote code execution via download functions in the packageindex modul...
GHSA-9H3Q-32C7-R533 private-ip vulnerable to Server-Side Request Forgery
All versions of the package private-ip are vulnerable to Server-Side Request Forgery SSRF, where an attacker can provide an IP or hostname that resolves to a multicast IP address 224.0.0.0/4 which is not included as part of the private IP ranges in the package's source code...
CLSA-2025-1742379028 Fix CVE(s): CVE-2024-11168, CVE-2024-4032, CVE-2025-0938
SECURITY UPDATE: Improper validation of bracketed hosts in urllib - debian/patches/CVE-2024-11168.patch: add checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format - CVE-2024-11168 SECURITY UPDATE: Incomplete validation of bracketed hosts in urllib -...
Moderate: python3.12 security update
Python 3.12 is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3.12 package provides the "python3.12" executable:...
python: incorrect IPv4 and IPv6 private ranges
A flaw was found in Python. The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. Due to this issue, it is possible that values will not be returned in accordance with the latest information from th...
python: incorrect IPv4 and IPv6 private ranges
A flaw was found in Python. The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. Due to this issue, it is possible that values will not be returned in accordance with the latest information from th...
python: incorrect IPv4 and IPv6 private ranges
A flaw was found in Python. The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. Due to this issue, it is possible that values will not be returned in accordance with the latest information from th...
python: incorrect IPv4 and IPv6 private ranges
A flaw was found in Python. The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. Due to this issue, it is possible that values will not be returned in accordance with the latest information from th...
SUSE SLES12 Security Update : python3 (SUSE-SU-2024:2959-1)
The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2959-1 advisory. - CVE-2024-4032: Fixed incorrect IPv4 and IPv6 private ranges bsc1226448. - Stop using %%defattr, it seems to be breaking proper executable...
SUSE-SU-2024:2959-1 Security update for python3
This update for python3 fixes the following issues: - CVE-2024-4032: Fixed incorrect IPv4 and IPv6 private ranges bsc1226448. - Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts bsc1227378...
USN-6941-1 python3.12 vulnerability
It was discovered that the Python ipaddress module contained incorrect information about which IP address ranges were considered “private” or “globally reachable”. This could possibly result in applications applying incorrect security policies...