75 matches found
CVE-2025-66407 Weblate has Server-Side Request Forgery vulnerability
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is...
CVE-2025-40545
Affected product: SolarWinds Observability Self-Hosted. Vulnerability: Open redirection due to improper URL sanitization in the application. Root cause / nature: URL handling allows manipulation of the redirect target. Impact (as stated): Potential to redirect users to a malicious site (confident...
EUVD-2021-21684
Malware in sbrugna...
EUVD-2018-4275
Malware in sbrugna...
EUVD-2022-1710
Malicious code in bioql PyPI...
PT-2025-25468 · Apache · Apache Http Server
Name of the Vulnerable Software and Affected Versions: Apache HTTP Server affected versions not specified Description: The issue concerns an unvalidated URL parameter. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue wa...
CVE-2024-31993
Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the scrapeimage function will retrieve an image based on a user-provided URL, however the provided URL is not validated to point to an external location and does not have any enforced rate limiting. The response from the...
CVE-2017-1000163
The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 are vulnerable to unvalidated URL redirection, which may result in phishing or social engineering attacks...
WordPress plugin Payment Gateway for Telcell 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...
CVE-2025-32778
CVE-2025-32778 affects Web-Check’s /api/screenshot endpoint. A user-controlled url is passed to a shell command via exec(), enabling command injection that could lead to arbitrary commands on the host. The issue is mitigated by replacing exec() with execFile(), which avoids a shell and properly i...
RAGFlow 安全漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A security vulnerability exists in RAGFlow version 0.12.0 that originates from an unvalidated URL and could lead to a server-side request forgery attack...
ComfyUI 代码问题漏洞
ComfyUI is one of the most powerful and modular diffusion model GUI and backend from comfyanonymous individual developers. A code issue vulnerability exists in ComfyUI version v0.2.4, which stems from an unvalidated URL and could lead to a server-side request forgery attack...
Silverstripe XSS in dev/build returnURL Parameter
A XSS risk exists in the returnURL parameter passed to dev/build. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site. This issue is resolved in framework 3.1.14 stable release...
GHSA-HQ4P-5MPR-JJ9M Silverstripe XSS in dev/build returnURL Parameter
A XSS risk exists in the returnURL parameter passed to dev/build. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site. This issue is resolved in framework 3.1.14 stable release...
CVE-2024-25676
An issue was discovered in ViewerJS 0.5.8. A script from the component loads content via URL TAGs without properly sanitizing it. This leads to both open redirection and out-of-band resource loading...
VulnCheck KEV: CVE-2022-0656
The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udrawconverturltobase64 AJAX action available to both unauthenticated and authenticated users before using it in the filegetcontents function and returning its content base64 encoded...
CVE-2023-26491 RSSHub is vulnerable to cross-site scripting (XSS) via unvalidated URL parameters
RSSHub is an open source and extensible RSS feed generator. When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructe...
SUSE CVE-2015-1298
The RuntimeEventRouter::OnExtensionUninstalled function in extensions/browser/api/runtime/runtimeapi.cc in Google Chrome before 45.0.2454.85 does not ensure that the setUninstallURL preference corresponds to the URL of a web site, which allows user-assisted remote attackers to trigger access to a...
Internet Bug Bounty: CVE-2022-45402: Apache Airflow: Open redirect during login
In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's /login endpoint. my initial email to [email protected]: Hi, In Apache Airflow, there is a parameter "next" on the Login page. And after a successful login, we're redirected to this parameter's value. I see...
CVE-2022-28372
On Verizon 5G Home LVSKIHP InDoorUnit IDU 3.4.66.162 and OutDoorUnit ODU 3.33.101.0 devices, the CRTC and ODU RPC endpoints provide a means of provisioning a firmware update for the device via crtcfwupgrade or crtcfwimage. The URL provided is not validated, and thus allows for arbitrary file uplo...