PT-2026-41691

Name of the Vulnerable Software and Affected Versions mcp-security versions prior to 0.1.9 Description The mcp-security framework fails to implement mandatory Server-Side Request Forgery SSRF mitigations—a flaw where an attacker can induce the server to make requests to an unintended location—as...

CVE-2021-22969

Concrete CMS formerly concrete5 versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS ex AWS IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading...

EUVD-2025-11802

Malicious code in bioql PyPI...

EUVD-2025-11803

Malicious code in bioql PyPI...

EUVD-2025-11805

Malicious code in bioql PyPI...

CVE-2025-29458

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation...

CVE-2025-29460

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation...

CVE-2025-29459

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation...

CVE-2025-29459

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation...

PT-2024-27348 · Microsoft +1 · Azure Blob Storage +1

Name of the Vulnerable Software and Affected Versions: Computer Vision Annotation Tool CVAT versions 2.1.0 through 2.14.3 Description: The issue allows an attacker with a CVAT account to exploit a feature by specifying custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob...

Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

Impact An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors: client-side vulnerabilities: XSS/CSRF in the context of the trusted domain; interaction with...

GHSA-MCXR-FX5F-96QQ Server-Side Request Forgery in Concrete CMS

Concrete CMS formerly concrete5 versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS ex AWS IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading...

Concrete CMS < 8.5.7 Multiple Vulnerabilities

Concrete CMS is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:concretecms:concretecms"; if...

Design/Logic Flaw

Concrete CMS formerly concrete5 versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS ex AWS IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading...