EUVD-2026-36732

Mattermost Desktop App versions =6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID:...

PT-2026-47665

Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery SSRF attack. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18...

EUVD-2026-33689

Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0...

CVE-2026-44971

CVE-2026-44971 affects GuardDog (CLI tool to identify malicious PyPI packages). From version 1.0.0 through 2.9.0, GuardDog’s remote project scanning path rewrites attacker-controlled repository URLs via a blind string replacement and then sends the caller’s GitHub credentials with the resulting r...

Bugsink 安全漏洞

Bugsink is an open-source, self-hosted bug tracking software developed by Bugsink. Versions of Bugsink prior to 2.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the fact that the event pages did not require events to be issues within URLs, which could allow authenticat...

Astra Linux - уязвимость в firefox

Search queries in the default search engine might appear to be the currently navigated URL, provided that the search query itself is a properly formed URL. This could lead to a site spoofing another site, if it was maliciously set as the default search engine. This vulnerability affects Firefox...

GHSA-X97M-QP5C-W9XJ Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs

Summary Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as Authorization: Bearer , the value could become visible in browser history, copied links, and server/proxy/CDN access logs...

CVE-2026-5365

creationtimestamp| type| source ---|---|--- 2026-05-14 09:16:39+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlsiavg4td2e 2026-05-14 09:32:09+00:00| seen| https://bsky.app/profile/atomicedge.bsky.social/post/3mlsj4jpxuc2s...

CVE-2026-40621

CVE-2026-40621 affects ELECOM wireless LAN access point devices where certain URLs are accessible without authentication. The description indicates unauthenticated access to specific endpoints, implying a lack of access control on those URLs. CVSS metrics (from JPCERT) show critical impact: high ...

PT-2026-40597

ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication...

CVE-2026-7437

creationtimestamp| type| source ---|---|--- 2026-05-12 16:33:15+00:00| seen| https://bsky.app/profile/atomicedge.bsky.social/post/3mlo7piqk362l 2026-05-12 17:13:15+00:00| seen| https://bsky.app/profile/donwebmedia.bsky.social/post/3mlobxbow3o2s...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-urllib3 (UTSA-2026-017489)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017489 advisory. An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression...

CVE-2026-42307

Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL e.g., using the sftp:// or file:// protocol handlers, an attacker can execute arbitrary...

PT-2026-38308

Name of the Vulnerable Software and Affected Versions MISP Modules versions prior to 3.0.7 Description Unsafe remote resource fetching exists in expansion modules. The html to markdown module accepts arbitrary HTTPS URLs without sufficient validation, enabling Server-Side Request Forgery SSRF—a...

CVE-2026-7791

creationtimestamp| type| source ---|---|--- 2026-05-04 22:49:52+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3ml2qzt3ddo26 2026-05-04 23:11:33+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3ml2samn7ly2p 2026-05-05 02:11:32+00:00| seen|...

JLSEC-2026-402

A cleartext transmission of sensitive information vulnerability exists in curl v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is...

JLSEC-2026-425 URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file...

URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...

CVE-2026-7712

creationtimestamp| type| source ---|---|--- 2026-05-04 00:00:41+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mkyejjpcik2p 2026-05-04 00:00:49+00:00| seen| https://infosec.exchange/users/offseq/statuses/116513363610813393 2026-05-04 01:08:37+00:00| seen|...

CodeChecker 安全漏洞

CodeChecker is an open-source analysis tool developed by Ericsson, which includes Clang Static Analyzer and Clang Tidy. It also provides a database of defects and extensions for viewers. Versions of CodeChecker prior to 6.27.3 contained security vulnerabilities. These vulnerabilities stemmed from...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...