CVE-2026-45660

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP...

PT-2026-41695

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.22 Statamic versions prior to 6.18.1 Description The Glide image proxy contains a flaw where URL validation can be bypassed using an IP representation that is not normalized before the public-IP check. This allo...

EUVD-2026-28199

OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests...

GHSA-CWCX-382V-8M9G Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url

Impact An authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo URL pointing at a private address e.g. http://127.0.0.1:999...

CVE-2026-39362 InvenTree has SSRF via Remote Image Download — No IP/Hostname Validation on remote_image URLs

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREEDOWNLOADFROMURL is enabled opt-in, authenticated users can supply remoteimage URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation against...

GHSA-MC26-Q38V-83GV OpenStack Glance is affected by Server-Side Request Forgery (SSRF)

OpenStack Glance versions = 30.0.0 30.1.1, == 31.0.0 are affected by Server-Side Request Forgery SSRF. By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only the glance image import functionality is affected. In particular, the...

Security Bulletin: Multiple vulnerabilities in IBM Watsonx BI Assistant for CP4D

Summary Multiple vulnerabilities were addressed in IBM Watsonx BI Assistant for CP4D version 5.3.1.2 Vulnerability Details CVEID:CVE-2026-26278 DESCRIPTION: fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no...

CVE-2026-25534

CVE-2026-25534 affects Spinnaker clouddriver and Orca URL validation, where underscores in hostnames were not properly handled by Java URL parsing, bypassing prior URL validation checks. Public sources (NVD/Red Hat/Snyk/OSV) confirm the impact and note that patches have been merged to be released...

CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames

Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...

Security Bulletin: Security vulnerabilities have been found in IBM Verify Identity Access Digital Credentials (CVE-2025-56200, CVE-2025-64118, CVE-2025-59343)

Summary Security vulnerabilities have been addressed in IBM Verify Identity Access Digital Credentials Vulnerability Details CVEID:CVE-2025-56200 DESCRIPTION: A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL function uses '://' as a delimiter to par...

URL Validation Bypass

validator.js is vulnerable to a URL Validation Bypass. The vulnerability is due to isURL using :// instead of : to parse protocols, allowing attackers to craft URLs that bypass protocol and domain checks and potentially enable XSS or open-redirect attacks...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to different node modules (CVE-2025-57350,CVE-2025-56200 & CVE-2025-64118)

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise runtime are vulnerable to multiple vulnerabilities due to csvtojson, node-tar packages and validator modules CVE-2025-57350,CVE-2025-56200 &...

EUVD-2019-13488

Malware in sbrugna...

EUVD-2021-0088

Malware in sbrugna...

EUVD-2021-0089

Malware in sbrugna...

EUVD-2022-7078

Malicious code in bioql PyPI...

EUVD-2025-31764

Malicious code in bioql PyPI...

CVE-2025-56200

A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leadi...

UBUNTU-CVE-2025-56200

A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leadi...

validator.js 安全漏洞

Validator.js is a string validator A security vulnerability exists in validator.js version 13.15.15 and earlier, which stems from a URL validation bypass that could lead to cross-site scripting and open redirection attacks...