Threats Tagged 'cwe-918'

The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the 'url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

The Kargo Takip WordPress plugin is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability via the 'api_url' parameter in all versions up to and including 1.2. This vulnerability allows unauthenticated attackers to make arbitrary web requests from the server, potentially accessing internal services. The plugin echoes internal API response data, including sensitive 'auth' keys, back to the attacker, enabling direct data exfiltration. The vulnerability has a CVSS score of 7.2, indicating high severity. No official patch or remediation guidance is currently available.

The WP Meta SEO WordPress plugin contains a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 4.5.18 via the 'new_link' parameter. Authenticated users with contributor-level access or higher can exploit this to make arbitrary web requests originating from the server. The vulnerability allows attackers to probe internal services and cloud metadata endpoints by reflecting HTTP response status codes in AJAX JSON responses.

A Server-Side Request Forgery (SSRF) vulnerability exists in FasterXML jackson-databind due to eager DNS resolution during deserialization of InetSocketAddress fields. Versions from 2.0.0 up to but not including 2.18.8, 2.21.4, and 3.1.4 are affected. The issue arises because the deserializer performs DNS resolution immediately, allowing an attacker to trigger DNS queries before application-level validation. This vulnerability is fixed in versions 2.18.8, 2.21.4, and 3.1.4 by deferring DNS resolution until an explicit connection attempt.

CVE-2026-53755 is a Server-Side Request Forgery (SSRF) vulnerability in unclecode's crawl4ai web crawler versions prior to 0.8.9. The vulnerability arises because the Docker API server only applied SSRF destination checks to the crawl target URL, not to proxy addresses. This allowed unauthenticated attackers to specify a proxy pointing to internal IP addresses or cloud metadata endpoints, enabling access to internal services via the crawler. The issue affects multiple proxy configuration fields that feed Chromium's egress and were unchecked. The vulnerability is fixed in version 0.8.9.

CVE-2026-53754 is a Server-Side Request Forgery (SSRF) vulnerability in the open-source web crawler crawl4ai prior to version 0.8.8. The vulnerability arises because the Docker API server's SSRF protection used an incomplete IPv4/IPv6 CIDR blocklist, allowing attackers to bypass filters by encoding internal IPv4 addresses in IPv6 transition forms or using the IPv6 unspecified address. Since the Docker API is unauthenticated by default, attackers can exploit this to reach internal services and cloud metadata endpoints without credentials. The issue is fixed in version 0.8.8.

In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to redirect container update requests to an attacker-controlled server, enabling server-side request forgery. The SSRF requests expose internal cluster metadata including storage policy indexes, partition mappings, device names, and when at rest encryption is enabled, cipher text and initialization vectors for the container-level encryption key. The attacker can also cause "ghost listings" in arbitrary containers via the shard-range redirect mechanism.

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.

Deno versions prior to 2.8.1 contain a vulnerability where the fetch() function enforces network restrictions based on hostname checks but fails to verify the resolved IP addresses against deny-net rules. This allows an attacker to bypass network restrictions by using a domain name that passes hostname validation but resolves to a denied IP address. The issue is fixed in version 2.8.1.

@astrojs/netlify is an adapter that allows Astro to deploy your hybrid or server rendered site to Netlify. Prior to 7.0.13, @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remote_images regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as *.example.com is converted to an optional subdomain regex, so the apex host matches. A single wildcard pathname such as /ok/* is converted without end anchoring, so deeper paths match by prefix. This vulnerability is fixed in 7.0.13.