Lucene search
K

164 matches found

Cvelist
Cvelist
added 2026/03/30 7:42 p.m.22 views

CVE-2026-31804 Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pmsimageproxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme...

4CVSS0.00277EPSS
Exploits1References2
CVE
CVE
added 2026/03/30 7:42 p.m.14 views

CVE-2026-31804

CVE-2026-31804 affects Tautulli (Python-based Plex monitor) before version 2.17.0. The vulnerable /pms_image_proxy endpoint accepts a user-controlled img parameter and forwards it to Plex Media Server’s /photo/:/ transcode transcoder without authentication or host/scheme restrictions. Because web...

5.3CVSS5.8AI score0.00277EPSS
Exploits1References2Affected Software1
SUSE CVE
SUSE CVE
added 2026/03/28 12:27 a.m.8 views

SUSE CVE-2026-30886

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS5.9AI score0.00274EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.4 views

CVE-2026-33340

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...

9.1CVSS5.9AI score0.21629EPSS
Exploits3References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.5 views

CVE-2026-33480

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the isSSRFSafeURL function in AVideo can be bypassed using IPv4-mapped IPv6 addresses ::ffff:x.x.x.x. The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching the...

8.6CVSS5.7AI score0.0032EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.4 views

CVE-2026-33039

WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL, but only checks the initial URL. When the initial URL responds with an HTTP redirect Location heade...

8.6CVSS5.8AI score0.00453EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/24 3:58 p.m.4 views

EUVD-2026-14928

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...

9.1CVSS5.9AI score0.21629EPSS
Exploits3References2
Cvelist
Cvelist
added 2026/03/24 3:58 p.m.21 views

CVE-2026-33340 LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...

9.1CVSS0.21629EPSS
Exploits3References2
ATTACKERKB
ATTACKERKB
added 2026/03/24 3:58 p.m.3 views

CVE-2026-33340

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...

9.1CVSS5.9AI score0.21629EPSS
Exploits3References3
CVE
CVE
added 2026/03/24 3:58 p.m.21 views

CVE-2026-33340

LoLLMs WEBUI (lollms-webui) contains a critical SSRF in the /api/proxy endpoint (POST) that allows unauthenticated attackers to force the server to perform arbitrary GET requests. Root cause: server-side request execution via an unauthenticated endpoint; impact includes access to internal service...

9.1CVSS5.9AI score0.21629EPSS
Exploits3References2Affected Software1
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.8 views

LoLLMs WEBUI 安全漏洞

LoLLMs WEBUI is a large-scale model web user interface developed by Saifeddine ALOUI, which supports integration of multiple models and modalities. LoLLMs WEBUI has a security vulnerability. This vulnerability stems from the/api/proxy endpoint, which allows unverified users to force the server to...

9.1CVSS5.9AI score0.21629EPSS
Exploits3References2
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.6 views

PT-2026-27456

Name of the Vulnerable Software and Affected Versions LoLLMs WEBUI affected versions not specified Description LoLLMs WEBUI, the web user interface for Lord of Large Language and Multi modal Systems, contains a Server-Side Request Forgery SSRF issue. An unauthenticated attacker can exploit this t...

9.1CVSS5.9AI score0.21629EPSS
Exploits3References8
ATTACKERKB
ATTACKERKB
added 2026/03/23 7:18 p.m.4 views

CVE-2026-30886

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References3Affected Software1
CNNVD
CNNVD
added 2026/03/23 12:0 a.m.9 views

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained code vulnerabilities. These vulnerabilities stemmed from the isSSRFSafeURL function, which allowed bypassing IPv6 addresses using IPv4 mapping. This could lead to...

8.6CVSS5.9AI score0.0032EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/21 6:30 a.m.5 views

EUVD-2026-14149

The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the reduxp AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint wpajaxnoprivreduxp that is accessible to...

7.2CVSS5.9AI score0.00272EPSS
Exploits0References8
CVE
CVE
added 2026/03/21 3:27 a.m.7 views

CVE-2026-3478

CVE-2026-3478 affects the Content Syndication Toolkit plugin for WordPress (versions

7.2CVSS5.9AI score0.00272EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/03/21 3:27 a.m.4 views

CVE-2026-3478

The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the reduxp AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint wpajaxnoprivreduxp that is accessible to...

7.2CVSS5.9AI score0.00272EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.4 views

PT-2026-26856

The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the redux p AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint wp ajax nopriv redux p that is accessible to...

7.2CVSS6AI score0.00272EPSS
Exploits0References11
ATTACKERKB
ATTACKERKB
added 2026/03/20 5:38 a.m.7 views

CVE-2026-33039

WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL, but only checks the initial URL. When the initial URL responds with an HTTP redirect Location heade...

8.6CVSS5.8AI score0.00453EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.10 views

PT-2026-26767

Summary The isSSRFSafeURL function in AVideo can be bypassed using IPv4-mapped IPv6 addresses ::ffff:x.x.x.x. The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an...

8.6CVSS5.8AI score0.0032EPSS
Exploits1References5
Rows per page
Query Builder