CVE-2026-56227

Capgo before 12.128.2 is affected by a server-side request forgery (SSRF) in webhook URL validation. The flaw permits configuring webhooks to loopback or internal addresses (e.g., localhost/127.0.0.1). When triggered, the backend makes outbound requests to those addresses, and error responses are...

CVE-2026-56227 Capgo - Server-Side Request Forgery via Webhook URL Validation

Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these...

CVE-2026-2393

A Server-Side Request Forgery SSRF vulnerability exists in MLflow versions prior to 3.9.0. The createwebhook function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the sendwebhookrequest function in mlflow/webhooks/delivery.py sends HTTP POST request...

EUVD-2026-31855

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be partially bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For...

Hemmelig 安全漏洞

Hemmelig is a content encryption software from Hemmelig Open Source. A security vulnerability exists in Hemmelig versions prior to 7.3.3 that stems from an SSRF filter bypass in Webhook URL validation, which could lead to server-side request forgery attacks...