50 matches found
MAL-2026-4142 Malicious code in jest-url-loader (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
Malicious code in jest-url-loader (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
GHSA-89V5-38XR-9M4J Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader
Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...
Server-side Request Forgery (SSRF)
Overview @langchain/community is a Third-party integrations for LangChain.js Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the RecursiveUrlLoader class. An attacker can access internal network resources or sensitive cloud metadata by supplying a public U...
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Summary A redirect-based Server-Side Request Forgery SSRF bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metada...
GHSA-MPHV-75CG-56WG LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Summary A redirect-based Server-Side Request Forgery SSRF bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metada...
CVE-2026-27795
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery SSRF bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects...
CVE-2026-27795 LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery SSRF bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects...
LangChain.js 代码问题漏洞
LangChain.js is an open-source implementation of a context-aware reasoning application developed by LangChain. Versions of LangChain.js prior to 1.1.8 contained code vulnerabilities. These vulnerabilities stemmed from the RecursiveUrlLoader component, which allowed unauthorized access to...
CVE-2026-26019
LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site...
CVE-2026-26019
CVE-2026-26019 affects the LangChain JS library (@langchain/community) before version 1.1.14, specifically the RecursiveUrlLoader. The cause is insufficient URL origin validation: it relied on String.startsWith() to compare URLs, failing to validate semantic origin and permitting crawling of atta...
CVE-2026-26019 @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation
LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site...
CVE-2026-26019 @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation
LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site...
LangChain 代码问题漏洞
LangChain is an open-source framework developed by LangChain for creating applications powered by large language models LLMs. Versions of LangChain prior to 1.1.14 contained code vulnerabilities. These vulnerabilities stemmed from insufficient URL validation in the RecursiveUrlLoader class within...
EUVD-2013-0928
Malware in sbrugna...
EUVD-2012-5063
Malware in sbrugna...
EUVD-2024-0652
Malicious code in bioql PyPI...
CVE-2024-0243
With the following crawler configuration: python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader url=url, maxdepth=2, extractor=lambda x: Soupx, "html.parser".text docs = loader.load An attacker in control of the contents of https://example.com could...
CVE-2024-0243
With the following crawler configuration: python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader url=url, maxdepth=2, extractor=lambda x: Soupx, "html.parser".text docs = loader.load An attacker in control of the contents of https://example.com could...
CVE-2024-0243 Server-side Request Forgery In Recursive URL Loader
With the following crawler configuration: python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader url=url, maxdepth=2, extractor=lambda x: Soupx, "html.parser".text docs = loader.load An attacker in control of the contents of https://example.com could...