GHSA-J432-4W3J-3W8J WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL

Summary The isSSRFSafeURL function in objects/functions.php contains a same-domain shortcircuit lines 4290-4296 that allows any URL whose hostname matches webSiteRootURL to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach...

EUVD-2026-16164

plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while...

CVE-2025-69906

CVE-2025-69906 affects Monstra CMS v3.0.4, specifically the Files Manager plugin. The vulnerability arises from blacklist-based file extension validation and storing uploaded files in a web-accessible directory, enabling remote code execution when uploaded files are interpreted as executable code...

CVE-2025-67303

An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface...