43 matches found
nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling
A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs,...
nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling
A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs,...
CVE-2026-48615
Summary: CVE-2026-48615 concerns a flaw in Node.js proxy tunnel error handling that can expose proxy credentials embedded in the proxy URL via the ERR_PROXY_TUNNEL error messages. The leak is tied to error handling paths and could be captured by logs, diagnostics, or other error consumers. Affect...
Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
Summary A Server-Side Request Forgery SSRF vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses gr.load to load an attacker-controlled Space, the malicious proxyurl from the config is...
Server-side Request Forgery (SSRF)
Overview gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the gr.load function. An attacker can access internal services, cloud metadata endpoints, and private networks b...
CVE-2026-28416
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery SSRF vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses...
PYSEC-2026-66
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery SSRF vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses...
PYSEC-2026-66
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery SSRF vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses...
CVE-2026-28416 Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery SSRF vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses...
CVE-2026-28416 Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery SSRF vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses...
CVE-2026-28416
Gradio prior to v6.6.0 is affected by an SSRF in gr.load() via a malicious Space that causes the config-provided proxy_url to be trusted and added to the allowlist. An attacker can trigger arbitrary HTTP requests from the victim’s server to internal services, cloud metadata endpoints, and private...
EUVD-2026-9084
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery SSRF vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses...
CVE-2026-28416 Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery SSRF vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses...
Gradio 代码问题漏洞
Gradio is an open-source Python library developed by Google. It provides a user-friendly web interface for demonstrating machine learning models. Versions of Grradio prior to 6.6.0 had code vulnerabilities. These vulnerabilities stemmed from maliciously configured proxyurl settings, which could...
CVE-2026-1495
The vulnerability, if exploited, could allow an attacker with Event Log Reader S-1-5-32-573 privileges to obtain proxy details, including URL and proxy credentials, from the PI to CONNECT event log files. This could enable unauthorized access to the proxy server...
CVE-2026-1495 Insertion of Sensitive Information into Log File vulnerability in AVEVA PI to CONNECT Agent
The vulnerability, if exploited, could allow an attacker with Event Log Reader S-1-5-32-573 privileges to obtain proxy details, including URL and proxy credentials, from the PI to CONNECT event log files. This could enable unauthorized access to the proxy server...
Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources
Summary Miniflux's media proxy endpoint GET /proxy/encodedDigest/encodedURL can be abused to perform Server-Side Request Forgery SSRF. An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresse...
EUVD-2024-49313
Malicious code in bioql PyPI...
EUVD-2022-24574
Malicious code in bioql PyPI...
CVE-2022-1239
The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the editposts capability by default contributor and above to perform SSRF attacks...