CVE-2026-45402

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the...

Server-side Request Forgery (SSRF)

Overview mcp-url-downloader is a MCP server that enables AI assistants to download files from URLs to the local filesystem Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the validateurlsafe function. An attacker can access internal resources or services b...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...

EUVD-2025-209530

Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been...

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the EPG link processing, which fails to properly validate URLs using the intended isSSRFSafeURL function. An attacker can caus...

PT-2026-26167

Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch server-side, and returns the...

Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads

Impact A Server-Side Request Forgery SSRF vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. Users are affected ...

Ubuntu: Security Advisory (USN-7981-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2026-22805

Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and...

CVE-2025-68477 Langflow vulnerable to Server-Side Request Forgery

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, an...

DNN 安全漏洞

DNN aka DotNetNuke is a Microsoft-supported, open-source content management system CMS based on the ASP.NET platform from the U.S. company DNN. The system is easy to install, scalable, feature-rich and so on. A security vulnerability exists in versions prior to DNN 10.1.0, which stems from...

CVE-2025-9862

Server-Side Request Forgery SSRF vulnerability in Ghost allows an attacker to access internal resources.This issue affects Ghost: from 6.0.0 through 6.0.8, from 5.99.0 through 5.130.3...

Intel Device Plugins for Kubernetes Improper Access Control Vulnerability

Intel Device Plugins for Kubernetes is a set of frameworks and implementations developed by Intel for exposing hardware resources such as GPUs, FPGAs, etc. to container applications in a Kubernetes cluster. An improper access control vulnerability exists in Intel Device Plugins for Kubernetes,...

CVE-2025-26492

JetBrains TeamCity is affected when deployed with versions prior to 2024.12.2. The vulnerability stems from improper Kubernetes connection settings that could allow exposure of sensitive resources. Multiple connected sources (CNVD-2025-13414, RH: CVE-2025-26492, and Nessus plugin TEAMCITY_2024_12...

PT-2024-25386 · Unknown · Cusmin Absolutely Glamorous Custom Admin

Name of the Vulnerable Software and Affected Versions: Cusmin Absolutely Glamorous Custom Admin versions through 7.2.2 Description: A Server-Side Request Forgery SSRF issue affects the software, allowing unauthorized access to internal resources. This can lead to sensitive data exposure or other...

WSO2 API Manager Security Vulnerability

WSO2 API Manager is a suite of API lifecycle management solutions from WSO2, USA. A security vulnerability exists in WSO2 API Manager that stems from an information disclosure vulnerability in REST API resources...

flow-server 安全漏洞

Vaadin flow is an application. the Java framework for the Vaadin platform for building modern websites that look great, perform well and keep you and your users happy. A security vulnerability exists in flow-server versions 1.2.0 through 2.4.7 that allows an attacker to gain access to the...

Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 Vaadin 12.0.0 through 14.4.9, and 6.0.0 through 6.0.1 Vaadin 19.0.0 allows attacker to access application classes and resources on the server via crafted HTTP request. -...

PT-2021-19288 · Vaadin · Com.Vaadin:Flow-Server

Name of the Vulnerable Software and Affected Versions: com.vaadin:flow-server versions 1.2.0 through 2.4.7 com.vaadin:flow-server versions 6.0.0 through 6.0.1 Description: The issue allows an attacker to access application classes and resources on the server via a crafted HTTP request. This is du...

Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 Vaadin 12.0.0 through 14.4.9, and 6.0.0 through 6.0.1 Vaadin 19.0.0 allows attacker to access application classes and resources on the server via crafted HTTP request. See CWE-402: Transmission of Private...