Lucene search
K

165 matches found

CNNVD
CNNVD
added 2026/03/20 12:0 a.m.6 views

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo 25.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the proxy.php endpoint not revalidating HTTP redirection targets, which could lead to access ...

8.6CVSS5.8AI score0.00453EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.11 views

PT-2026-26767

Summary The isSSRFSafeURL function in AVideo can be bypassed using IPv4-mapped IPv6 addresses ::ffff:x.x.x.x. The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an...

8.6CVSS5.8AI score0.0032EPSS
Exploits1References5
Snyk
Snyk
added 2026/03/17 8:33 p.m.54 views

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the proxy.php endpoint when handling HTTP redirects without re-validating the redirect target. An attacker can access internal...

8.7CVSS5.8AI score0.00453EPSS
Exploits1References2
NVD
NVD
added 2026/03/11 9:16 p.m.6 views

CVE-2026-32110

SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and...

8.3CVSS0.00278EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/03 12:0 a.m.25 views

CVE-2021-35486

A Cross-Site Request Forgery CSRF vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie...

0.00187EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/02 7:14 p.m.3 views

CVE-2026-25477

AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression allows an attacker to...

6.9CVSS5.8AI score0.00164EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/03/02 12:0 a.m.7 views

AFFiNE.Pro 输入验证错误漏洞

AFFiNE.Pro is an open-source next-generation knowledge base developed by Toeverything. Versions of AFFiNE.Pro prior to 0.26.0 contained a vulnerability related to input validation errors. This vulnerability stemmed from defects in the domain name verification logic of the /redirect-proxy endpoint...

6.9CVSS5.8AI score0.00164EPSS
Exploits0References1
OSV
OSV
added 2026/02/15 2:16 p.m.5 views

CVE-2019-25376

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogAC...

5.1CVSS5.7AI score
Exploits0References4
NVD
NVD
added 2026/02/15 2:16 p.m.8 views

CVE-2019-25376

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogAC...

6.1CVSS0.00363EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/02/15 1:58 p.m.11 views

CVE-2019-25376

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogAC...

6.1CVSS5.6AI score0.00363EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/15 1:58 p.m.5 views

CVE-2019-25376 OPNsense 19.1 Reflected XSS via proxy endpoint

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogAC...

6.1CVSS5.7AI score0.00363EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/02/15 1:58 p.m.24 views

CVE-2019-25376 OPNsense 19.1 Reflected XSS via proxy endpoint

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogAC...

6.1CVSS0.00363EPSS
Exploits1References4
CVE
CVE
added 2026/02/15 1:58 p.m.13 views

CVE-2019-25376

OPNsense 19.1 is affected by a reflected cross-site scripting (XSS) vulnerability in the proxy endpoint. The ignoreLogACL parameter can be exploited via crafted POST payloads to inject JavaScript, enabling an unauthenticated attacker to execute scripts in users’ browsers. Root cause: improper han...

6.1CVSS5.6AI score0.00363EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/15 12:0 a.m.9 views

PT-2026-8248

OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted payloads through the ignoreLogACL parameter. Attackers can send POST requests to the proxy endpoint with JavaScript code in the ignoreLogAC...

6.1CVSS5.6AI score0.00363EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/02/15 12:0 a.m.9 views

Deciso OPNsense 跨站脚本漏洞

Deciso OPNsense is a set of open-source firewall and routing software based on FreeBSD developed by the Dutch company Deciso. Version Decivo OPNsense 19.1 contains a cross-site scripting vulnerability. This vulnerability stems from insufficient input validation for the ignoreLogACL parameter in t...

6.1CVSS5.9AI score0.00363EPSS
Exploits1References4
VulnCheck KEV
VulnCheck KEV
added 2026/02/11 12:0 a.m.7 views

VulnCheck KEV: CVE-2026-21859

Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery SSRF vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it do...

5.8CVSS5.8AI score0.00755EPSS
In wildExploits2References4
Vulnrichment
Vulnrichment
added 2026/02/05 9:13 a.m.6 views

CVE-2026-1294 All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint

The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web...

7.2CVSS5.6AI score0.00293EPSS
Exploits0References3
CVE
CVE
added 2026/02/05 9:13 a.m.16 views

CVE-2026-1294

The CVE-2026-1294 issue affects the WordPress plugin All In One Image Viewer Block, version

7.2CVSS5.6AI score0.00293EPSS
Exploits0References3
EUVD
EUVD
added 2026/02/05 9:13 a.m.6 views

EUVD-2026-5548

The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web...

7.2CVSS5.6AI score0.00293EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/05 9:13 a.m.29 views

CVE-2026-1294 All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint

The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web...

7.2CVSS0.00293EPSS
Exploits0References3
Rows per page
Query Builder