CVE-2026-47067

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackneyurl.erl converts every unrecognized URL scheme to a permanent BEAM atom via binarytoatom/2. BEAM atoms are never garbage-collected and the atom table defaults to a...

CVE-2026-43929

ssrfcheck is a library that checks if a string contains a potential SSRF attack. In 1.3.0 and earlier, ssrfcheck fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address e.g. http://::ffff:127.0.0.1/. The WHATWG URL parser bui...

CVE-2026-43929

The provided sources describe a concrete SSRF vulnerability in ssrfcheck (CVE-2026-43929) where IPv4 private addresses encoded as IPv4-mapped IPv6 inside URLs bypass the library’s private-IP denial logic. In ssrfcheck v1.3.0 and earlier, the WHATWG URL parser normalizes IPv4-mapped inputs to hex ...

CVE-2026-43929 ssrfcheck: Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs

ssrfcheck is a library that checks if a string contains a potential SSRF attack. In 1.3.0 and earlier, ssrfcheck fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address e.g. http://::ffff:127.0.0.1/. The WHATWG URL parser bui...

CVE-2026-8034

A server-side request forgery SSRF vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a differe...

CVE-2026-8034

CVE-2026-8034 is a server-side request forgery (SSRF) vulnerability in the GitHub Enterprise Server notebook viewer. The issue stems from URL parser confusion between the validation layer and the HTTP request library, where hostname validation uses a different parser than the request library, all...

CVE-2026-8034 Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion

A server-side request forgery SSRF vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a differe...

PT-2026-38594

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21 Description A server-side request forgery SSRF issue exists in the notebook viewer. This occurs due to URL parser confusion between the validation layer and the HTTP request library, where the...

GHSA-J4RJ-2JR5-M439 ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs

Summary ssrfcheck v1.3.0 latest fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address e.g. http://::ffff:127.0.0.1/. The WHATWG URL parser built into Node.js silently normalizes the IPv4 notation inside the brackets to...

CVE-2026-40299

next-intl provides internationalization for Next.js. Applications using the next-intl middleware prior to version 4.9.1with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or...

Regular Expression Denial of Service (ReDoS)

Overview js-video-url-parser is an A parser to extract provider, video id, starttime and others from YouTube, Vimeo, ... urls Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the getTime function in lib/util.js. An attacker can cause excessive...

@1eg/theme-editor-cli (>=0.13.0 <=1.17.0), @aicontextlab/cli (>=0.0.0-dev <=0.2.2) +314 more potentially affected by CVE-2026-5986 via js-video-url-parser (>=0.2.8 <=0.5.1)

js-video-url-parser NPM version =0.2.8, =0.13.0, =0.0.0-dev, =0.2.5, =1.0.103, =0.12.77, =0.1.0, =0.1.136, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.10 and more Source cves: CVE-2026-5986 Source advisory: OSV:GHSA-8FGX-WGVR-PCX8...

@1eg/theme-editor-cli (>=0.13.0 <=1.17.0), @aicontextlab/cli (>=0.0.0-dev <=0.2.2) +314 more potentially affected by CVE-2026-5986 via js-video-url-parser (>=0.2.8 <=0.5.1)

js-video-url-parser NPM version =0.2.8, =0.13.0, =0.0.0-dev, =0.2.5, =1.0.103, =0.12.77, =0.1.0, =0.1.136, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.8, =1.2.10 and more Source cves: CVE-2026-5986 Source advisory: SNYK:JS-JSVIDEOURLPARSER-15995499...

EUVD-2026-21236

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit ha...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

AlmaLinux 8 : python3 (ALSA-2026:5588)

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:5588 advisory. python: cpython: URL parser allowed square brackets in domain names CVE-2025-0938 Tenable has extracted the preceding description block directly from the AlmaLinux...

ALSA-2026:5588 Moderate: python3 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

MiracleLinux 9 : python3.9-3.9.21-2.el9 (AXSA:2025-10382:01)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10382:01 advisory. python: cpython: URL parser allowed square brackets in domain names CVE-2025-0938 Tenable has extracted the preceding description block directly from the...

EUVD-2019-15410

Malware in sbrugna...

EUVD-2016-1579

Malware in sbrugna...