Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

22 matches found

NVD
NVDadded 2026/05/27 6:16 p.m.9 views

CVE-2026-45061

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

7.7CVSS0.00032EPSS
Exploits0References1
EUVD
EUVDadded 2026/05/27 4:50 p.m.5 views

EUVD-2026-32586

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

7.7CVSS5.8AI score0.00032EPSS
Exploits0References1
Snyk
Snykadded 2026/05/11 4:20 p.m.6 views

Server-side Request Forgery (SSRF)

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the urlUpload function. An attacker can access internal network resources and sensitive metadata by submitting a...

7.7CVSS5.9AI score0.00032EPSS
Exploits0References2
Positive Technologies
Positive Technologiesadded 2026/05/11 12:0 a.m.7 views

PT-2026-39904

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.35.10 Description The Plugin URL upload endpoint "POST /api/plugin" contains a flaw in how it validates submitted URLs. It uses a simple substring check to verify if the url variable contains ".tar.gz", which can b...

7.7CVSS5.8AI score0.00032EPSS
Exploits0References4
RedhatCVE
RedhatCVEadded 2026/02/04 3:15 a.m.4 views

CVE-2025-46651

Tiny File Manager through 2.6 contains a server-side request forgery SSRF vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain...

4.3CVSS5.4AI score0.00014EPSS
Exploits0References1
NVD
NVDadded 2026/02/03 6:16 p.m.1 views

CVE-2025-46651

Tiny File Manager through 2.6 contains a server-side request forgery SSRF vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain...

4.3CVSS0.00014EPSS
Exploits0References2
OSV
OSVadded 2026/02/03 6:16 p.m.1 views

CVE-2025-46651

Tiny File Manager through 2.6 contains a server-side request forgery SSRF vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain...

4.3CVSS5.5AI score0.00014EPSS
Exploits0References2
CNNVD
CNNVDadded 2026/02/03 12:0 a.m.3 views

Tiny File Manager 安全漏洞

Tiny File Manager is a web-based open-source file manager developed by Prasath Mani. Versions of Tiny File Manager 2.6 and earlier had security vulnerabilities. These vulnerabilities stemmed from insufficient URL validation in the URL upload function, which could lead to server-side request...

4.3CVSS5.8AI score0.00014EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/02/03 12:0 a.m.2 views

CVE-2025-46651

Tiny File Manager through 2.6 contains a server-side request forgery SSRF vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain...

5.5AI score0.00014EPSS
Exploits0References3
Cvelist
Cvelistadded 2026/02/03 12:0 a.m.24 views

CVE-2025-46651

Tiny File Manager through 2.6 contains a server-side request forgery SSRF vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain...

0.00014EPSS
Exploits0References2
Positive Technologies
Positive Technologiesadded 2026/02/03 12:0 a.m.2 views

PT-2026-5900

Name of the Vulnerable Software and Affected Versions Tiny File Manager versions through 2.6 Description The software contains a server-side request forgery SSRF issue in the URL upload feature. Insufficient validation of user-supplied URLs allows an attacker to send crafted requests to localhost...

4.3CVSS5.4AI score0.00014EPSS
Exploits0References6
CVE
CVEadded 2026/02/03 12:0 a.m.8 views

CVE-2025-46651

CVE-2025-46651 affects Tiny File Manager up to version 2.6, where a server-side request forgery (SSRF) exists in the URL upload feature due to insufficient validation of user-supplied URLs. An attacker can craft requests to localhost (e.g., via domains like http://www.127.0.0.1.example.com/), pot...

4.3CVSS5.5AI score0.00014EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/01/23 4:47 p.m.3 views

CVE-2021-47899 YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability

YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the urluploadhandler endpoint to access sensitive files like /etc/passwd by...

6.9CVSS5.5AI score0.0008EPSS
Exploits0References4
Vulnrichment
Vulnrichmentadded 2026/01/13 10:51 p.m.1 views

CVE-2022-50905 e107 CMS v3.2.1 - Reflected XSS via Comment Flow

e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting XSS attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code...

9.8CVSS5.5AI score0.00089EPSS
Exploits1References4
CVE
CVEadded 2026/01/13 10:51 p.m.9 views

CVE-2022-50905

CVE-2022-50905 affects e107 CMS v3.2.1. The issues: (1) a reflected XSS in the news comment flow, where an authenticated user can inject JavaScript via a URL parameter that executes when they click outside the comment field; (2) an upload restriction bypass for authenticated administrators that e...

9.8CVSS5.5AI score0.00089EPSS
Exploits1References4Affected Software1
OSV
OSVadded 2025/12/05 11:15 p.m.1 views

CVE-2025-14116

A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument healthurl results in server-side request forgery. The attack can be initiated remotely. The explo...

5.1CVSS5.1AI score
Exploits0References5
Cvelist
Cvelistadded 2025/12/05 5:31 a.m.20 views

CVE-2025-12153 Featured Image via URL <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload

The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on...

8.8CVSS0.00219EPSS
Exploits0References2
NVD
NVDadded 2024/07/07 4:15 p.m.17 views

CVE-2024-6229

A stored cross-site scripting XSS vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever an...

6.8CVSS0.0016EPSS
Exploits1References1
Vulnrichment
Vulnrichmentadded 2024/07/07 3:22 p.m.11 views

CVE-2024-6229 Stored XSS in stangirard/quivr

A stored cross-site scripting XSS vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever an...

6.8CVSS5.6AI score0.0016EPSS
Exploits1References1
CVE
CVEadded 2024/07/07 3:22 p.m.55 views

CVE-2024-6229

CVE-2024-6229 is a stored XSS vulnerability in stangirard/quivr’s Upload Knowledge feature. An attacker can upload a URL-based file containing malicious JavaScript, which is stored on the server and executed when users click the payload-containing link, potentially enabling data theft and session...

6.8CVSS5.6AI score0.0016EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder