679 matches found
PT-2026-43434
Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.22 Description A server-side request forgery SSRF issue exists where an unauthenticated attacker can send crafted requests to internal services due to insufficient input validation in an upload...
CVE-2026-40682
A flaw was found in Apache OpenNLP. A remote attacker can exploit this vulnerability by providing a specially crafted dictionary file. This can lead to an XML External Entity XXE injection, which allows for the disclosure of local files or enables server-side request forgery SSRF, where the serve...
CVE-2026-44598
With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended t...
CVE-2026-7798 FluentCRM <= 2.9.87 - Unauthenticated Blind Server-Side Request Forgery via 'SubscribeURL' Parameter
The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for...
PT-2026-42735
The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for...
Astra Linux – Vulnerability in Apache2
A properly crafted URI sent to httpd, configured as a forward proxy with ProxyRequests enabled, can cause a crash NULL pointer dereference. In configurations that mix forward and reverse proxy declarations, it can also allow requests to be directed to a declared Unix Domain Socket endpoint...
GHSA-JH67-HWQW-M5R7 rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths
Summary Alice exposes a Python SDK ProxyShare with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to urllib.parse.urljoin, which replaces Alice's configured target host with Bob's host and returns the server-side response ...
CVE-2026-33234
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogptplatform/backend/backend/blocks/emailblock.py accepts a user-supplied smtpserver string and smtpport integer as...
terrascan 代码问题漏洞
Trenescan is an open-source infrastructure code static security analysis tool developed by Tenable. Versions of Trenescan 1.18.3 and earlier contained code vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing vulnerability in the webhookurl parameter of the file...
CVE-2026-6333
Mattermost versions 11.5.x <= 11.5.1 and 10.11.x
📄 Lobster_pro Arbitrary File Read / Server-Side Request Forgery
Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobsterpro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. -----BEGIN PGP...
EUVD-2026-30636
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. This vulnerability is fixed in 0.9.5...
CVE-2021-47958
CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal service...
CVE-2026-39053
Oinone Pamirs 7.0.0 contains an XML External Entity XXE issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML... or ViewXmlUtils.fromXML..., unsafe XML processing can lead to file disclosure or SSRF...
Server-side Request Forgery (SSRF)
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through getcontentfromurl in retrieval/utils.py, SafeWebBaseLoader in web/base.py, and imageedits in routers/images.py. An attacker can cause the server to fetch internal...
CVE-2026-44661
python-utcp is the python implementation of UTCP. Prior to 1.1.3, the utcp-http plugin is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registermanual validates the discovery URL against an HTTPS /...
CVE-2026-44589 nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)
Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl denylist introduced in [email protected] to remediate GHSA-pqhr-mp3f-hrpp Dmitry Prokhorov / Positive Technologies, March 2026 is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validatio...
Missing Authentication
github.com/dgraph-io/dgraph is vulnerable to Missing Authentication. The vulnerability is due to the restoreTenant admin mutation missing authorization middleware validation, which allows an unauthenticated attacker to overwrite the database, access server-side files via file:// paths, and perfor...
CVE-2026-42281 MagicMirror²: Unauthenticated SSRF via /cors endpoint
MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery SSRF vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadat...
CVE-2026-42596 Gotenberg: Unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as...