Lucene search
K

90 matches found

Nuclei
Nuclei
added yesterday65 views

Dify v1.6.0 - Server-Side Request Forgery

Dify v1.6.0 contains a server side request forgery caused by improper validation in controllers.console.remotefiles.RemoteFileUploadApi, letting attackers make arbitrary requests from the server, exploit requires network access. id: CVE-2025-56520 info: name: Dify v1.6.0 - Server-Side Request...

5.3CVSS6.2AI score0.00649EPSS
Exploits1References2
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-15143 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:)

A flaw was found in the filetype content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition XSD string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file...

9.3CVSS0.00255EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-42927

A flaw was found in the filetype content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition XSD string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file...

9.3CVSS6.1AI score0.00255EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 4 days ago7 views

CVE-2026-15143

A flaw was found in the filetype content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition XSD string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file...

9.3CVSS6.1AI score0.00255EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/07 3:23 a.m.5 views

EUVD-2026-41997

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp apiurl field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a...

4.3CVSS6AI score0.00171EPSS
Exploits0References1
OSV
OSV
added 2026/07/06 5:29 p.m.7 views

GHSA-JHHC-3HCP-QHM5 WeasyPrint has CSS Injection via Presentational Hints

Summary A CSS injection issue exists in WeasyPrint when HTML presentational hints are enabled. Unescaped attribute values are embedded into CSS, allowing injection of arbitrary CSS declarations. This affects applications processing untrusted HTML input. Details File: weasyprint/css/init.py The...

6.5CVSS6AI score
Exploits0References2
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.9 views

JetBrains TeamCity 代码问题漏洞

JetBrains TeamCity is a set of distributed build management and continuous integration tools developed by the Czech company JetBrains. This tool offers features such as continuous unit testing, code quality analysis, and reporting on build issues. Versions of JetBrains TeamCity prior to 2026.1 an...

7.5CVSS5.9AI score0.00287EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/05/14 3:30 a.m.13 views

SUSE CVE-2003-0098

Unknown vulnerability in apcupsd before 3.8.6, and 3.10.x before 3.10.5, allows remote attackers to gain root privileges, possibly via format strings in a request to a slave server...

10CVSS5.8AI score0.05174EPSS
Exploits0References3
CVE
CVE
added 2026/05/12 2:19 a.m.24 views

CVE-2026-0502

The CVE-2026-0502 entry concerns SAP BusinessObjects Business Intelligence Platform with a CSRF protection flaw. An authenticated user can be tricked into sending unintended requests to the web server, leading to low impact on integrity and availability and no confidentiality impact. Public detai...

5.4CVSS5.8AI score0.00121EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/11 9:25 p.m.9 views

CVE-2026-42188 Geyser: Server-Side Request Forgery (SSRF) via Player Head Texture URL

Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery SSRF vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an...

2.4CVSS5.9AI score0.00158EPSS
Exploits0References1
CVE
CVE
added 2026/05/08 3:50 p.m.25 views

CVE-2026-41887

The CVE-2026-41887 entry affects Flarum core prior to versions 1.8.16 and 2.0.0-rc.1, where values assigned to LESS-configurable settings (e.g., theme_primary_color/theme_secondary_color) are interpolated into LESS at compile time. An authenticated administrator can inject an arbitrary @import, e...

4.9CVSS5.9AI score0.00404EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/07 1:53 p.m.7 views

CVE-2026-41689 Wallos: Shared local webhook allowlist lets low-privilege users send arbitrary requests to allowlisted internal services

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use...

6CVSS5.9AI score0.00176EPSS
Exploits0References1
CVE
CVE
added 2026/04/24 12:14 a.m.11 views

CVE-2026-31955

CVE-2026-31955 affects Xibo CMS prior to 4.4.1. An authenticated SSRF vulnerability in the remote DataSet functionality allows users with DataSet permissions (and the privilege to add DataSets to Layouts) to cause the CMS server to issue arbitrary HTTP requests to internal or external resources. ...

4.9CVSS5.8AI score0.00282EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/04/15 7:42 p.m.12 views

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection in the startAssetImport process. An attacker can access sensitive files on the server or initiate server-side requests by uploading specially crafted XML files containing external entity references. Thi...

7.6CVSS5.9AI score0.00249EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.8 views

Chamilo LMS 代码问题漏洞

Chamilo LMS is an open-source online learning and collaboration system developed by Chamilo. This system supports the creation of teaching content, remote training, and online quizzes. Versions of Chamilo LMS prior to 2.0.0-RC.3 contained code vulnerabilities. These vulnerabilities stemmed from...

8.6CVSS5.9AI score0.00344EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.4 views

PT-2026-31437

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE DOWNLOAD FROM URL is enabled opt-in, authenticated users can supply remote image URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation again...

5.3CVSS6AI score0.00233EPSS
Exploits0References2
OSV
OSV
added 2026/03/04 6:18 p.m.5 views

GHSA-X369-MCW8-8RVJ Dark Reader gives users the ability to request style sheets from local web servers

Description Dark Reader versions prior to 4.9.117 included a behavior where a website could request a style sheet from a locally running web server, for example http://localhost:8080/style.css, If an address was available and returned a text/css content type. Patches The problem was fixed in...

3.4CVSS5.9AI score0.00108EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/02 12:0 a.m.7 views

Chamilo 代码问题漏洞

Chamilo is an open-source learning management system developed by Chamilo. Versions of Chamilo prior to 1.11.28 had code vulnerabilities. These vulnerabilities stemmed from defects in the OpenId functionality, which could lead to forged server requests without proper verification...

5.3CVSS5.9AI score0.00323EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/02/12 9:42 p.m.5 views

CVE-2026-26075

FastGPT is an AI Agent building platform. Due to the fact that FastGPT's web page acquisition nodes, HTTP nodes, etc. need to initiate data acquisition requests from the server, there are certain security issues. In addition to implementing internal network isolation in the deployment environment...

6.9CVSS5.5AI score0.00101EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/02/11 12:0 a.m.7 views

GitLab 代码问题漏洞

GitLab is an end-to-end software development platform provided by the American company GitLab. It includes built-in features such as version control, issue tracking, code review, and CI/CD Continuous Integration and Delivery. There are code-related vulnerabilities in versions of GitLab EE prior t...

5.4CVSS5.9AI score0.00164EPSS
Exploits0References4
Rows per page
Query Builder