8 matches found
CVE-2026-10564
IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery SSRF. The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker c...
CVE-2026-33126
Frigate is a network video recorder (NVR) for IP cameras. A vulnerability exists in the /ffprobe endpoint where, prior to version 0.16.3, it accepts arbitrary user-controlled URLs without proper validation, enabling Server-Side Request Forgery (SSRF). An attacker could use the Frigate server to i...
CVE-2026-25738 Indico has Server-Side Request Forgery (SSRF) in multiple places
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of...
Server Side Request Forgery (SSRF)
bentoml is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the file upload handlers automatically downloading files from user-provided URLs without validating their targets, which allows an attacker to make the server send arbitrary HTTP requests to internal or...
Cross-site Scripting (XSS)
Overview org.webjars.npm:koa is a Koa web app framework Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ctx.redirect function. An attacker can execute scripts on the user's browser or redirect users to malicious sites by supplying malicious input as an achor...
pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools
A flaw was found in the packageindex module of pypa/setuptools. Affected versions of this package allow remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to co...
pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools
A flaw was found in the packageindex module of pypa/setuptools. Affected versions of this package allow remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to co...
Cross site scripting
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Link Wrapper functionality in all versions up to, and including, 4.10.17 due to insufficient input sanitization and output escaping on user supplied links. This makes it possible fo...