Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-3048 |
|
Unsafe Deserialization in CVE-2026-3048 (CVE-2026-3048)
vulnerability in CVE-2026-3048 (CVE-2026-3048). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-42858 |
|
SSRF (Server-Side Request Forgery) in openedx (CVE-2026-42858)
SSRF in openedx (CVE-2026-42858). Confidential information can be exposed externally.
|
| CVE-2026-42860 |
|
SSRF (Server-Side Request Forgery) in edx-enterprise (CVE-2026-42860)
SSRF in edx-enterprise (CVE-2026-42860). Confidential information can be exposed externally. Exploitable via ``sync_provider_data``. Mitigation: upgrade to `7.0.5` or later.
|
| CVE-2026-42313 |
|
Vulnerability in pyload-ng (CVE-2026-42313)
vulnerability in pyload-ng (CVE-2026-42313). Confidential information can be exposed externally. Exploitable via ``ADMIN_ONLY_CORE_OPTIONS``. Mitigation: upgrade to `0.5.0b3.dev100` or later.
|
| CVE-2026-45061 |
|
SSRF (Server-Side Request Forgery) in budibase (CVE-2026-45061)
SSRF in budibase (CVE-2026-45061). Confidential information can be exposed externally. Exploitable via `POST /api/plugin`. Mitigation: upgrade to `3.35.10` or later.
|
| CVE-2026-44578 |
|
SSRF (Server-Side Request Forgery) in next (CVE-2026-44578)
SSRF in next (CVE-2026-44578). Confidential information can be exposed externally. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44971 |
|
SSRF (Server-Side Request Forgery) in guarddog (CVE-2026-44971)
SSRF in guarddog (CVE-2026-44971). Confidential information can be exposed externally. Exploitable via ``GH_TOKEN``.
|
| CVE-2026-42595 |
|
SSRF (Server-Side Request Forgery) in github.com/gotenberg/gotenberg/v8 (CVE-2026-42595)
SSRF in github.com/gotenberg/gotenberg/v8 (CVE-2026-42595). Confidential information can be exposed externally. Exploitable via ``downloadFrom``. Mitigation: upgrade to `8.32.0` or later.
|
| CVE-2026-8193 |
|
SSRF (Server-Side Request Forgery) in CVE-2026-8193 (CVE-2026-8193)
SSRF in CVE-2026-8193 (CVE-2026-8193). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-44313 |
|
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-44313)
SSRF in ssrf (CVE-2026-44313). Confidential information can be exposed externally. Exploitable via `GET /api/v1/archives/{linkId}`.
|
| CVE-2026-44284 |
|
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-44284)
SSRF in ssrf (CVE-2026-44284). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-44286 |
|
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-44286)
SSRF in ssrf (CVE-2026-44286). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-42352 |
|
SSRF (Server-Side Request Forgery) in pygeoapi (CVE-2026-42352)
SSRF in pygeoapi (CVE-2026-42352). Confidential information can be exposed externally. Exploitable via ``subscriber``. Mitigation: upgrade to `0.23.3` or later.
|
| CVE-2026-42345 |
|
SSRF (Server-Side Request Forgery) in CVE-2026-42345 (CVE-2026-42345)
SSRF in CVE-2026-42345 (CVE-2026-42345). Confidential information can be exposed externally.
|
| CVE-2026-42346 |
|
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-42346)
SSRF in ssrf (CVE-2026-42346). Confidential information can be exposed externally.
|
| CVE-2026-42339 |
|
SSRF (Server-Side Request Forgery) in github.com/QuantumNous/new-api (CVE-2026-42339)
SSRF in github.com/QuantumNous/new-api (CVE-2026-42339). Data can be tampered with by attackers. Exploitable via `POST /v1/chat/completions`. Mitigation: upgrade to `0.9.0.5` or later.
|
| CVE-2026-41682 |
|
Vulnerability in CVE-2026-41682 (CVE-2026-41682)
vulnerability in CVE-2026-41682 (CVE-2026-41682). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-42213 |
|
Path Traversal in CVE-2026-42213 (CVE-2026-42213)
path traversal in CVE-2026-42213 (CVE-2026-42213). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-42180 |
|
SSRF (Server-Side Request Forgery) in lemmy_api_common (CVE-2026-42180)
SSRF in lemmy_api_common (CVE-2026-42180). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v3/post`. Mitigation: upgrade to `0.19.18` or later.
|
| CVE-2026-42181 |
|
SSRF (Server-Side Request Forgery) in lemmy_api_common (CVE-2026-42181)
SSRF in lemmy_api_common (CVE-2026-42181). Confidential information can be exposed externally. Exploitable via `POST /api/v3/post`. Mitigation: upgrade to `0.19.18` or later.
|
| CVE-2026-44694 |
|
Vulnerability in n8n-mcp (CVE-2026-44694)
vulnerability in n8n-mcp (CVE-2026-44694). Confidential information can be exposed externally. Exploitable via ``N8N_API_URL``. Mitigation: upgrade to `2.50.2` or later.
|
| CVE-2026-44502 |
|
SSRF (Server-Side Request Forgery) in bugsink (CVE-2026-44502)
SSRF in bugsink (CVE-2026-44502). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `2.1.3` or later.
|
| CVE-2026-44430 |
|
SSRF (Server-Side Request Forgery) in github.com/modelcontextprotocol/registry (CVE-2026-44430)
SSRF in github.com/modelcontextprotocol/registry (CVE-2026-44430). Risk of unauthorized operations or information disclosure. Exploitable via `POST /v0/auth/http`. Mitigation: upgrade to `1.7.7` or later.
|
| CVE-2026-41887 |
|
Path Traversal in flarum/core (CVE-2026-41887)
path traversal in flarum/core (CVE-2026-41887). Confidential information can be exposed externally. Exploitable via `POST /api/settings`. Mitigation: upgrade to `2.0.0-rc.1` or later.
|
| CVE-2026-44428 |
|
SSRF (Server-Side Request Forgery) in github.com/modelcontextprotocol/registry (CVE-2026-44428)
SSRF in github.com/modelcontextprotocol/registry (CVE-2026-44428). Risk of unauthorized operations or information disclosure. Exploitable via ``c5c4b9e8890dd5754bee889b2f1417f4fe3b5ce5``. Mitigation: upgrade to `1.7.6` or later.
|
| CVE-2026-42353 |
|
Path Traversal in i18next-http-middleware (CVE-2026-42353)
path traversal in i18next-http-middleware (CVE-2026-42353). Confidential information can be exposed externally. Exploitable via `GET /locales/resources.json`. Mitigation: upgrade to `3.9.3` or later.
|
| CVE-2026-44335 |
|
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-44335)
SSRF in ssrf (CVE-2026-44335). Successful exploitation can lead to full system takeover. Exploitable via ``requests``. Mitigation: upgrade to `>= 1.6.32` or later.
|
| CVE-2026-41423 |
|
SSRF (Server-Side Request Forgery) in @angular/platform-server (CVE-2026-41423)
SSRF in @angular/platform-server (CVE-2026-41423). Risk of unauthorized operations or information disclosure. Exploitable via ``evil.com``.
|
| CVE-2026-42261 |
|
Vulnerability in ssrf (CVE-2026-42261)
vulnerability in ssrf (CVE-2026-42261). Confidential information can be exposed externally. Exploitable via `POST /api/skills/fetch-remote`.
|
| CVE-2026-8034 |
|
Vulnerability in ssrf (CVE-2026-8034)
vulnerability in ssrf (CVE-2026-8034). Successful exploitation can lead to full system takeover.
|
| CVE-2026-41105 |
|
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-41105)
SSRF in ssrf (CVE-2026-41105). Confidential information can be exposed externally.
|
| CVE-2026-42449 |
|
SSRF (Server-Side Request Forgery) in n8n-mcp (CVE-2026-42449)
SSRF in n8n-mcp (CVE-2026-42449). Confidential information can be exposed externally. Exploitable via ``N8NDocumentationMCPServer``. Mitigation: upgrade to `2.47.14` or later.
|
| CVE-2026-8081 |
|
SSRF (Server-Side Request Forgery) in router-for-me (CVE-2026-8081)
SSRF in router-for-me (CVE-2026-8081). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-41413 |
|
SSRF (Server-Side Request Forgery) in istio.io/istio (CVE-2026-41413)
SSRF in istio.io/istio (CVE-2026-41413). Risk of unauthorized operations or information disclosure. Exploitable via ``ValidatingAdmissionPolicy``. Mitigation: upgrade to `0.0.0-20260410004459-189832a289c1` or later.
|
| CVE-2026-20035 |
|
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-20035)
SSRF in ssrf (CVE-2026-20035). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-39383 |
|
SSRF (Server-Side Request Forgery) in github.com/gotenberg/gotenberg/v8 (CVE-2026-39383)
SSRF in github.com/gotenberg/gotenberg/v8 (CVE-2026-39383). Confidential information can be exposed externally. Exploitable via ``FilterDeadline``. Mitigation: upgrade to `8.31.0` or later.
|
| CVE-2026-40280 |
|
SSRF (Server-Side Request Forgery) in github.com/gotenberg/gotenberg/v8 (CVE-2026-40280)
SSRF in github.com/gotenberg/gotenberg/v8 (CVE-2026-40280). Confidential information can be exposed externally. Exploitable via ``downloadFrom``. Mitigation: upgrade to `8.31.0` or later.
|
| CVE-2026-34084 |
|
Unsafe Deserialization in phpoffice/phpspreadsheet (CVE-2026-34084)
vulnerability in phpoffice/phpspreadsheet (CVE-2026-34084). Successful exploitation can lead to full system takeover. Exploitable via ``is_file``. Mitigation: upgrade to `1.30.3` or later.
|
| CVE-2026-35527 |
|
SSRF (Server-Side Request Forgery) in github.com/lxc/incus/v6/cmd/incusd (CVE-2026-35527)
SSRF in github.com/lxc/incus/v6/cmd/incusd (CVE-2026-35527). Risk of unauthorized operations or information disclosure. Exploitable via ``restricted.images.servers``. Mitigation: upgrade to `7.0.0` or later.
|
| CVE-2026-3340 |
|
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-3340)
SSRF in ssrf (CVE-2026-3340). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-41654 |
|
Vulnerability in weblate (CVE-2026-41654)
vulnerability in weblate (CVE-2026-41654). Confidential information can be exposed externally. Exploitable via ``project.add``. Mitigation: upgrade to `5.17.1` or later.
|
| CVE-2026-44015 |
|
SSRF (Server-Side Request Forgery) in github.com/0xJacky/Nginx-UI (CVE-2026-44015)
SSRF in github.com/0xJacky/Nginx-UI (CVE-2026-44015). Confidential information can be exposed externally. Exploitable via `GET /api/settings`.
|
| CVE-2026-42043 |
|
Vulnerability in axios (CVE-2026-42043)
vulnerability in axios (CVE-2026-42043). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.15.1` or later.
|
| CVE-2026-41455 |
|
SSRF (Server-Side Request Forgery) in CVE-2026-41455 (CVE-2026-41455)
SSRF in CVE-2026-41455 (CVE-2026-41455). Confidential information can be exposed externally.
|
| CVE-2026-41644 |
|
Vulnerability in github.com/monetr/monetr (CVE-2026-41644)
vulnerability in github.com/monetr/monetr (CVE-2026-41644). Confidential information can be exposed externally. Exploitable via `POST /api/lunch_flow/link`. Mitigation: upgrade to `1.12.5` or later.
|
| CVE-2026-35548 |
|
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-35548)
SSRF in ssrf (CVE-2026-35548). Confidential information can be exposed externally.
|
| CVE-2026-6587 |
|
SSRF (Server-Side Request Forgery) in CVE-2026-6587 (CVE-2026-6587)
SSRF in CVE-2026-6587 (CVE-2026-6587). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-40346 |
|
SSRF (Server-Side Request Forgery) in @nocobase/plugin-workflow-request (CVE-2026-40346)
SSRF in @nocobase/plugin-workflow-request (CVE-2026-40346). Confidential information can be exposed externally. Exploitable via ``url``. Mitigation: upgrade to `2.0.37` or later.
|
| CVE-2026-41481 |
|
SSRF (Server-Side Request Forgery) in langchain-text-splitters (CVE-2026-41481)
SSRF in langchain-text-splitters (CVE-2026-41481). Confidential information can be exposed externally. Exploitable via ``Document``. Mitigation: upgrade to `1.1.2` or later.
|
| CVE-2026-43995 |
|
SSRF (Server-Side Request Forgery) in flowise (CVE-2026-43995)
SSRF in flowise (CVE-2026-43995). Successful exploitation can lead to full system takeover. Exploitable via ``httpSecurity.ts``. Mitigation: upgrade to `3.1.0` or later.
|