31 matches found
Wallos 代码问题漏洞
Wallos is an open-source personal subscription tracker developed by Miguel Ribeiro. Versions of Wallos 4.8.4 and earlier contained code vulnerabilities due to incomplete SSRF protections. The vulnerability arises from the use of gethostbyname to verify the Webhook URL without utilizing the...
CVE-2026-40348 Movary has Authenticated SSRF via Jellyfin Server URL Verification that Allows Internal Network Probing
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through POST /settings/jellyfin/server-url-verify. The endpoint accepts a user-controlled URL, appends...
OpenCTI 代码问题漏洞
OpenCTI is an open-source network threat intelligence platform developed by OpenCTI. Versions of OpenCTI prior to 6.8.16 had code vulnerabilities. These vulnerabilities stemmed from the data ingestion feature not verifying the URLs provided by users, which could lead to server-side request forgei...
EUVD-2025-202447
Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL defined in an attacker-controlled WSDL that is later loaded by the application. This can lead to arbitrary file write and remote code execution via webshell upload...
CVE-2025-52567 GLPI has overly permissive URL verification
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided...
CVE-2025-52567
GLPI vulnerability CVE-2025-52567 affects GLPI versions 0.84–10.0.18 where using RSS feeds or external calendars during planning allows SSRF. The issue is fixed in version 10.0.19. Related sources note an unauthenticated access path via the planning feature (phishing context) and server-side requ...
CVE-2020-25019
jitsi-meet-electron aka Jitsi Meet Electron before 2.3.0 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource, in some circumstances...
PT-2024-33528 · Gaminghub · Gaminghub
Name of the Vulnerable Software and Affected Versions: GamingHub versions prior to 6.1.03.4 in Korea GamingHub versions prior to 7.1.02.4 in Global Description: The issue is related to insufficient verification of URL authenticity, allowing remote attackers to enable JavaScript in the webview. Th...
PT-2024-33529 · Gaminghub · Gaminghub
Name of the Vulnerable Software and Affected Versions: GamingHub versions prior to 6.1.03.4 in Korea GamingHub versions prior to 7.1.02.4 in Global Description: The issue is related to insufficient verification of URL authenticity in GamingHub, allowing remote attackers to load an arbitrary URL i...
Information Disclosure
nilsteampassnet/teampass is vulnerable to Information Disclosure. The vulnerability exists because the library does not properly verify the input URLs, which allows an attacker to gain sensitive information by accessing an incorrect path...
SUSE CVE-2015-1266
content/browser/webui/contentwebuicontrollerfactory.cc in Google Chrome before 43.0.2357.130 does not properly consider the scheme in determining whether a URL is associated with a WebUI SiteInstance, which allows remote attackers to bypass intended access restrictions via a similar URL, as...
CVE-2022-41156
Remote code execution vulnerability due to insufficient verification of URLs, etc. in OndiskPlayerAgent. A remote attacker could exploit the vulnerability to cause remote code execution by causing an arbitrary user to download and execute malicious code...
Remote code execution
Remote code execution vulnerability due to insufficient verification of URLs, etc. in OndiskPlayerAgent. A remote attacker could exploit the vulnerability to cause remote code execution by causing an arbitrary user to download and execute malicious code...
CVE-2022-41156 OndiskPlayer Remote Code Execution Vulnerability
Remote code execution vulnerability due to insufficient verification of URLs, etc. in OndiskPlayerAgent. A remote attacker could exploit the vulnerability to cause remote code execution by causing an arbitrary user to download and execute malicious code...
CVE-2022-41156 OndiskPlayer Remote Code Execution Vulnerability
Remote code execution vulnerability due to insufficient verification of URLs, etc. in OndiskPlayerAgent. A remote attacker could exploit the vulnerability to cause remote code execution by causing an arbitrary user to download and execute malicious code...
CVE-2022-41156
CVE-2022-41156 affects OndiskPlayerAgent. The root cause is insufficient verification of URLs, enabling remote code execution when a user is enticed to download and run malicious code. Documents indicate an RCE impact with high severity (CVE listed as high/7.8 base score). Some sources note Ondis...
nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets
A flaw was found in the got package for node.js. Requested URLs are not verified and allow open redirection to a local UNIX socket...
nodejs:16 security and bug fix update
An update is available for nodejs-nodemon, nodejs, nodejs-packaging. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a software development platform f...
nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets
A flaw was found in the got package for node.js. Requested URLs are not verified and allow open redirection to a local UNIX socket...
Full Read Server-Side Request Forgery (SSRF)
Description In the recipe edit page, is possible to upload an image directly or via an URL provided by the user. The function that handles the fetching and saving of the image via the URL doesn't have any URL verification, which allows to fetch internal services. \ \ Furthermore, after the resour...