Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...

GHSA-PQ8P-WC4F-VG7J WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection

Summary The incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Affected Package - Ecosystem: Other - Package: AVideo - Affected versions: = commit...

VulnCheck KEV: CVE-2025-22952

elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery SSRF due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks...

CVE-2025-10861

The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via the URL parameter...