PYSEC-2026-58

The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin ro...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in validatewebhookurl, in validate.py. The createwebhook function accepts a user-controlled url parameter without validation. An attacker can cause the backend to send HTTP requests to internal services,...

CVE-2026-43969

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cowcookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs...

CVE-2026-42860

The CVE-2026-42860 issue affects Open edX Openedx Enterprise Service (edx-enterprise). From 7.0.2 through 7.0.4, the sync_provider_data endpoint retrieves SAML metadata from a URL stored in SAMLProviderConfig.metadata_source. An authenticated Enterprise Admin can PATCH this field to an arbitrary ...

CVE-2026-42858 Open edX Platform: Server-Side Request Forgery (SSRF) in SAML Provider Data Sync Endpoint

Open edX Platform enables the authoring and delivery of online learning at any scale. The syncproviderdata endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadataurl POST parameter. This URL is passed directly to requests.get in...

CVE-2026-42858

Open edX Platform contains a server-side request forgery (SSRF) in the sync_provider_data endpoint of SAMLProviderDataViewSet. An authenticated Enterprise Admin can supply an arbitrary URL via the metadata_url parameter, which is passed to requests.get() in fetch_metadata_xml() without URL valida...

CVE-2026-42603

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pullrequesttarget privileged trigger but checks out and executes code directly from the attacker's fork, enabling...

CVE-2026-45001

OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoints that fails to protect operator-trusted settings including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, a...

CVE-2026-45000 OpenClaw < 2026.4.20 - Server-Side Request Forgery via Browser CDP Profile Creation

OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing to private-network or metadata endpoints that bypass security policies and are later probed durin...

CVE-2026-3609 XIGNCODE3 xhunter1.sys kernel driver contains a Privilege Escalation Vulnerability

Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vulnerability provides access to IRPMJREITS command interface, which allows any user process to request a PROCESSALLACCESS. Cross reference to KVE 2023-5589 https://krcert.or.kr...

NPM: Budibase vulnerable to SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)

NPM: Budibase vulnerable to SSRF via trivial .tar.gz substring bypass in Plugin URL upload /api/plugin vulnerability discovered by ? in WordPress Npm budibase versions = 3.34.11...

Server-side Request Forgery (SSRF)

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the urlUpload function. An attacker can access internal network resources and sensitive metadata by submitting a...

Bird-lg-go has a Fatal Out-of-Memory (OOM) Denial of Service via Unbounded JSON Decoding

Summary The apiHandler and similarly webHandlerTelegramBot processes user-provided JSON payloads by directly using json.NewDecoderr.Body.Decode&request without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload e.g., several...

CVE-2026-7817

Local file inclusion LFI and server-side request forgery SSRF vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied apikeyfile and apiurl preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by...

CVE-2026-42603

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pullrequesttarget privileged trigger but checks out and executes code directly from the attacker's fork, enabling...

CVE-2026-42603

The CVE affects OWASP BLT prior to version 2.1.2. The vulnerability arises in the .github/workflows/pre-commit-fix.yaml workflow, which uses pull_request_target (a privileged trigger) to checkout and execute code directly from the attacker’s fork. This enables Remote Code Execution with write per...

EUVD-2026-29126

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pullrequesttarget privileged trigger but checks out and executes code directly from the attacker's fork, enabling...

CVE-2026-42603 OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pullrequesttarget privileged trigger but checks out and executes code directly from the attacker's fork, enabling...

CVE-2026-42603 OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pullrequesttarget privileged trigger but checks out and executes code directly from the attacker's fork, enabling...

Valtimo has sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer

Summary The LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers. When an error response is received, this information is included in the thrown...