CVE-2026-10287

A vulnerability was determined in SourceCodester SEO Meta Tag Extractor 1.0. This vulnerability affects the function getheaders of the file /index.php. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been...

CVE-2026-6895 Wishlist Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation via 'wlm3_export_settings' AJAX Action

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'exportsettings' function. This function returns the RES...

CVE-2026-8193

A weakness has been identified in Akaunting 3.1.21. This issue affects some unknown processing of the file config/dompdf.php of the component Invoice PDF Rendering. Executing a manipulation can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made...

PT-2026-39627

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.15 Description Local file inclusion LFI and server-side request forgery SSRF issues exist in the LLM API configuration endpoints. Authenticated users can read arbitrary server-side files by providing a path to the...

CVE-2026-5346

The CVE-2026-5346 entry affects huimeicloud hm_editor version up to 2.2.3. The vulnerability is in the image-to-base64 Endpoint, specifically the file src/mcp-server.js, in the function client.get. By manipulating the url argument, an attacker can trigger a server-side request forgery remotely. P...

PT-2026-29093

A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file get contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used...

FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft

The FHIR Validator HTTP service exposes an unauthenticated /loadIG endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith URL prefix matching flaw in the credential provider ManagedWebAccessUtils.getServer, an attacker can steal authentication tokens...

EUVD-2026-16696

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks,...

EUVD-2026-16694

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending \r\r\r as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer,...

CVE-2026-31878

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6...

CVE-2026-3026 erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery

A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated...

PT-2026-6672

Name of the Vulnerable Software and Affected Versions kalyan02 NanoCMS versions up to 0.4 Description A flaw exists in kalyan02 NanoCMS that allows for remote request manipulation. The issue is related to an unknown functionality within the /data/pagesdata.txt file of the User Information Handler...

CVE-2023-40370

IBM Robotic Process Automation 21.0.0 through 21.0.7.1 runtime is vulnerable to information disclosure of script content if the remote REST request computer policy is enabled. IBM X-Force ID: 263470...

PT-2025-53709

Name of the Vulnerable Software and Affected Versions Refugee Food Management System version 1.0 Description A flaw exists in Refugee Food Management System 1.0 that allows for SQL injection. This occurs through manipulation of the refNo argument in a remote request to the /home/served.php file...

EUVD-2025-203504

CHOCO TEI WATCHER mini IB-MCT001 contains an issue with improper check for unusual or exceptional conditions. If a remote attacker sends a specially crafted request to the Video Download interface, the system may become unresponsive...

PT-2025-49124

Name of the Vulnerable Software and Affected Versions Medtronic CareLink Network versions prior to December 4, 2025 Description An unauthenticated remote attacker can send a request to an API endpoint to obtain security questions. This could potentially reveal valid user accounts. Recommendations...

CVE-2025-47353 Exposed Dangerous Method or Function in Automotive Software platform based on QNX

Memory corruption while processing request sent from GVM...

EUVD-2021-28325

Malicious code in bioql PyPI...

EUVD-2023-59053

Malicious code in bioql PyPI...

EUVD-2023-1139

Malicious code in bioql PyPI...