31 matches found
CVE-2026-46697
Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy includes/MediaProxy.php with permissioncallback = returntrue that accepted a base64-encoded URL and forwarded it to wpremoteget$url without...
DEBIAN-CVE-2026-44492
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NOPROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form ::ffff:7f00:1, ::ffff:a9fe:a9fe...
CVE-2026-46697 Fediverse Embeds: Unauthenticated SSRF / open proxy via REST media-proxy endpoint
Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy includes/MediaProxy.php with permissioncallback = returntrue that accepted a base64-encoded URL and forwarded it to wpremoteget$url without...
CVE-2026-44373
Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...
CVE-2026-44373
Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...
CVE-2026-44373 Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`
Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...
Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
Summary A Server-Side Request Forgery SSRF vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses gr.load to load an attacker-controlled Space, the malicious proxyurl from the config is...
CVE-2026-3293
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts...
CVE-2026-3293 snowflakedb snowflake-jdbc JDBC URL SdkProxyRoutePlanner.java SdkProxyRoutePlanner redos
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts...
CVE-2026-3293 snowflakedb snowflake-jdbc JDBC URL SdkProxyRoutePlanner.java SdkProxyRoutePlanner redos
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts...
PT-2026-22301
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts...
CVE-2021-31216
Siren Investigate before 11.1.1 contains a server side request forgery SSRF defect in the built-in image proxy route which is enabled by default. An attacker with access to the Investigate installation can specify an arbitrary URL in the parameters of the image proxy route and fetch external URLs...
EUVD-2021-18129
Malware in sbrugna...
Linux Distros Unpatched Vulnerability : CVE-2025-31483
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/ route, an attacker can bypass the CSP of the media proxy and execute cross-site...
SUSE CVE-2025-31483
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/ route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a weak Content Security Policy on the /proxy/ route. An attacker can bypass the CSP of the media proxy and execute arbitrary JavaScript when opening external images in a new tab or window. Note: This is...