Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4641 vulnerabilities reference this CWE, most recent first.

CVE-2026-12986 (GCVE-0-2026-12986)

Vulnerability from cvelistv5 – Published: 2026-06-24 14:08 – Updated: 2026-06-24 14:52 X_Open Source
VLAI
Summary
A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain. A Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator's REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the DownloadServlet and associated ContentSource implementations (LogViewerContentSource, LogFilesContentSource, LBConfigContentSource, ClientStubsContentSource) within the admingui:console-common module.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-352 - Cross-Site request forgery (CSRF)
  • CWE-918 - Server-Side request forgery (SSRF)
Assigner
References
Impacted products
Vendor Product Version
Payara Payara Server Affected: 7.2025.1 , < 7.2026.6 (custom)
Affected: 7.0.0 , < 7.1.0 (semver)
Affected: 6.0.0 , < 6.39.0 (semver)
Affected: 5.20.0 , < 5.88.0 (semver)
Affected: 4.1.144 , < 4.1.2.191.56 (custom)
Affected: 5.181 , ≤ 5.201.2 (custom)
Affected: 5.2020.1 , ≤ 5.2022.5 (custom)
Affected: 6.2023.1 , ≤ 6.2025.11 (custom)
Create a notification for this product.
Credits
sujaltuladhar1231@gmail.com
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T14:52:09.838012Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T14:52:26.473Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "modules": [
            "Admin GUI"
          ],
          "packageName": "org.glassfish.main.admingui:console-common",
          "platforms": [
            "Windows",
            "Linux",
            "MacOS"
          ],
          "product": "Payara Server",
          "repo": "https://github.com/payara/Payara/",
          "vendor": "Payara",
          "versions": [
            {
              "lessThan": "7.2026.6",
              "status": "affected",
              "version": "7.2025.1",
              "versionType": "custom"
            },
            {
              "lessThan": "7.1.0",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.39.0",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.88.0",
              "status": "affected",
              "version": "5.20.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.1.2.191.56",
              "status": "affected",
              "version": "4.1.144",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.201.2",
              "status": "affected",
              "version": "5.181",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.2022.5",
              "status": "affected",
              "version": "5.2020.1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.2025.11",
              "status": "affected",
              "version": "6.2023.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "sujaltuladhar1231@gmail.com"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain.\u003cbr\u003e\u003cbr\u003eA Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator\u0027s REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the\u0026nbsp;\u003ccode\u003eDownloadServlet\u003c/code\u003e\u0026nbsp;and associated\u0026nbsp;\u003ccode\u003eContentSource\u003c/code\u003e\u0026nbsp;implementations (\u003ccode\u003eLogViewerContentSource\u003c/code\u003e,\u0026nbsp;\u003ccode\u003eLogFilesContentSource\u003c/code\u003e,\u0026nbsp;\u003ccode\u003eLBConfigContentSource\u003c/code\u003e,\u0026nbsp;\u003ccode\u003eClientStubsContentSource\u003c/code\u003e) within the\u0026nbsp;\u003ccode\u003eadmingui:console-common\u003c/code\u003e\u0026nbsp;module.\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain.\n\nA Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator\u0027s REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the\u00a0DownloadServlet\u00a0and associated\u00a0ContentSource\u00a0implementations (LogViewerContentSource,\u00a0LogFilesContentSource,\u00a0LBConfigContentSource,\u00a0ClientStubsContentSource) within the\u00a0admingui:console-common\u00a0module."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-664",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-664 Server Side Request Forgery"
            }
          ]
        },
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62 Cross Site Request Forgery"
            }
          ]
        },
        {
          "capecId": "CAPEC-60",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-60 Reusing Session IDs (aka Session Replay)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:P/AU:Y/R:U/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site request forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side request forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T14:18:36.828Z",
        "orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
        "shortName": "Payara"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%207.2026.6.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
    "assignerShortName": "Payara",
    "cveId": "CVE-2026-12986",
    "datePublished": "2026-06-24T14:08:02.332Z",
    "dateReserved": "2026-06-23T11:45:33.366Z",
    "dateUpdated": "2026-06-24T14:52:26.473Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12813 (GCVE-0-2026-12813)

Vulnerability from cvelistv5 – Published: 2026-06-21 22:30 – Updated: 2026-06-22 13:24
VLAI
Title
activepieces File URL file.ts handleUrlFile server-side request forgery
Summary
A vulnerability was detected in activepieces up to 0.83.0. This vulnerability affects the function handleUrlFile in the library packages/server/engine/src/lib/variables/processors/file.ts of the component File URL Handler. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-918 - Server-Side Request Forgery
Assigner
References
URL Tags
https://vuldb.com/vuln/372607 vdb-entrytechnical-description
https://vuldb.com/vuln/372607/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12813 third-party-advisory
https://vuldb.com/submit/837553 third-party-advisory
https://github.com/dxz0069/softwareoverflow/blob/… exploit
Impacted products
Vendor Product Version
n/a activepieces Affected: 0.1
Affected: 0.2
Affected: 0.3
Affected: 0.4
Affected: 0.5
Affected: 0.6
Affected: 0.7
Affected: 0.8
Affected: 0.9
Affected: 0.10
Affected: 0.11
Affected: 0.12
Affected: 0.13
Affected: 0.14
Affected: 0.15
Affected: 0.16
Affected: 0.17
Affected: 0.18
Affected: 0.19
Affected: 0.20
Affected: 0.21
Affected: 0.22
Affected: 0.23
Affected: 0.24
Affected: 0.25
Affected: 0.26
Affected: 0.27
Affected: 0.28
Affected: 0.29
Affected: 0.30
Affected: 0.31
Affected: 0.32
Affected: 0.33
Affected: 0.34
Affected: 0.35
Affected: 0.36
Affected: 0.37
Affected: 0.38
Affected: 0.39
Affected: 0.40
Affected: 0.41
Affected: 0.42
Affected: 0.43
Affected: 0.44
Affected: 0.45
Affected: 0.46
Affected: 0.47
Affected: 0.48
Affected: 0.49
Affected: 0.50
Affected: 0.51
Affected: 0.52
Affected: 0.53
Affected: 0.54
Affected: 0.55
Affected: 0.56
Affected: 0.57
Affected: 0.58
Affected: 0.59
Affected: 0.60
Affected: 0.61
Affected: 0.62
Affected: 0.63
Affected: 0.64
Affected: 0.65
Affected: 0.66
Affected: 0.67
Affected: 0.68
Affected: 0.69
Affected: 0.70
Affected: 0.71
Affected: 0.72
Affected: 0.73
Affected: 0.74
Affected: 0.75
Affected: 0.76
Affected: 0.77
Affected: 0.78
Affected: 0.79
Affected: 0.80
Affected: 0.81
Affected: 0.82
Affected: 0.83.0
    cpe:2.3:a:activepieces:activepieces:*:*:*:*:*:*:*:*
Credits
ST4R (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12813",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T13:24:23.327254Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T13:24:34.047Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:activepieces:activepieces:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "File URL Handler"
          ],
          "product": "activepieces",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "0.1"
            },
            {
              "status": "affected",
              "version": "0.2"
            },
            {
              "status": "affected",
              "version": "0.3"
            },
            {
              "status": "affected",
              "version": "0.4"
            },
            {
              "status": "affected",
              "version": "0.5"
            },
            {
              "status": "affected",
              "version": "0.6"
            },
            {
              "status": "affected",
              "version": "0.7"
            },
            {
              "status": "affected",
              "version": "0.8"
            },
            {
              "status": "affected",
              "version": "0.9"
            },
            {
              "status": "affected",
              "version": "0.10"
            },
            {
              "status": "affected",
              "version": "0.11"
            },
            {
              "status": "affected",
              "version": "0.12"
            },
            {
              "status": "affected",
              "version": "0.13"
            },
            {
              "status": "affected",
              "version": "0.14"
            },
            {
              "status": "affected",
              "version": "0.15"
            },
            {
              "status": "affected",
              "version": "0.16"
            },
            {
              "status": "affected",
              "version": "0.17"
            },
            {
              "status": "affected",
              "version": "0.18"
            },
            {
              "status": "affected",
              "version": "0.19"
            },
            {
              "status": "affected",
              "version": "0.20"
            },
            {
              "status": "affected",
              "version": "0.21"
            },
            {
              "status": "affected",
              "version": "0.22"
            },
            {
              "status": "affected",
              "version": "0.23"
            },
            {
              "status": "affected",
              "version": "0.24"
            },
            {
              "status": "affected",
              "version": "0.25"
            },
            {
              "status": "affected",
              "version": "0.26"
            },
            {
              "status": "affected",
              "version": "0.27"
            },
            {
              "status": "affected",
              "version": "0.28"
            },
            {
              "status": "affected",
              "version": "0.29"
            },
            {
              "status": "affected",
              "version": "0.30"
            },
            {
              "status": "affected",
              "version": "0.31"
            },
            {
              "status": "affected",
              "version": "0.32"
            },
            {
              "status": "affected",
              "version": "0.33"
            },
            {
              "status": "affected",
              "version": "0.34"
            },
            {
              "status": "affected",
              "version": "0.35"
            },
            {
              "status": "affected",
              "version": "0.36"
            },
            {
              "status": "affected",
              "version": "0.37"
            },
            {
              "status": "affected",
              "version": "0.38"
            },
            {
              "status": "affected",
              "version": "0.39"
            },
            {
              "status": "affected",
              "version": "0.40"
            },
            {
              "status": "affected",
              "version": "0.41"
            },
            {
              "status": "affected",
              "version": "0.42"
            },
            {
              "status": "affected",
              "version": "0.43"
            },
            {
              "status": "affected",
              "version": "0.44"
            },
            {
              "status": "affected",
              "version": "0.45"
            },
            {
              "status": "affected",
              "version": "0.46"
            },
            {
              "status": "affected",
              "version": "0.47"
            },
            {
              "status": "affected",
              "version": "0.48"
            },
            {
              "status": "affected",
              "version": "0.49"
            },
            {
              "status": "affected",
              "version": "0.50"
            },
            {
              "status": "affected",
              "version": "0.51"
            },
            {
              "status": "affected",
              "version": "0.52"
            },
            {
              "status": "affected",
              "version": "0.53"
            },
            {
              "status": "affected",
              "version": "0.54"
            },
            {
              "status": "affected",
              "version": "0.55"
            },
            {
              "status": "affected",
              "version": "0.56"
            },
            {
              "status": "affected",
              "version": "0.57"
            },
            {
              "status": "affected",
              "version": "0.58"
            },
            {
              "status": "affected",
              "version": "0.59"
            },
            {
              "status": "affected",
              "version": "0.60"
            },
            {
              "status": "affected",
              "version": "0.61"
            },
            {
              "status": "affected",
              "version": "0.62"
            },
            {
              "status": "affected",
              "version": "0.63"
            },
            {
              "status": "affected",
              "version": "0.64"
            },
            {
              "status": "affected",
              "version": "0.65"
            },
            {
              "status": "affected",
              "version": "0.66"
            },
            {
              "status": "affected",
              "version": "0.67"
            },
            {
              "status": "affected",
              "version": "0.68"
            },
            {
              "status": "affected",
              "version": "0.69"
            },
            {
              "status": "affected",
              "version": "0.70"
            },
            {
              "status": "affected",
              "version": "0.71"
            },
            {
              "status": "affected",
              "version": "0.72"
            },
            {
              "status": "affected",
              "version": "0.73"
            },
            {
              "status": "affected",
              "version": "0.74"
            },
            {
              "status": "affected",
              "version": "0.75"
            },
            {
              "status": "affected",
              "version": "0.76"
            },
            {
              "status": "affected",
              "version": "0.77"
            },
            {
              "status": "affected",
              "version": "0.78"
            },
            {
              "status": "affected",
              "version": "0.79"
            },
            {
              "status": "affected",
              "version": "0.80"
            },
            {
              "status": "affected",
              "version": "0.81"
            },
            {
              "status": "affected",
              "version": "0.82"
            },
            {
              "status": "affected",
              "version": "0.83.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "ST4R (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in activepieces up to 0.83.0. This vulnerability affects the function handleUrlFile in the library packages/server/engine/src/lib/variables/processors/file.ts of the component File URL Handler. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "Server-Side Request Forgery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-21T22:30:09.414Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-372607 | activepieces File URL file.ts handleUrlFile server-side request forgery",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/372607"
        },
        {
          "name": "VDB-372607 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/372607/cti"
        },
        {
          "name": "CVE-2026-12813 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12813"
        },
        {
          "name": "Submit #837553 | activepieces Component: see affected components below 0.83.1 Server-Side Request Forgery (SSRF)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/837553"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/dxz0069/softwareoverflow/blob/main/activepieces_file_property_url_ssrf_vulndb.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-21T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-21T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-21T08:22:18.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "activepieces File URL file.ts handleUrlFile server-side request forgery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12813",
    "datePublished": "2026-06-21T22:30:09.414Z",
    "dateReserved": "2026-06-21T06:17:14.598Z",
    "dateUpdated": "2026-06-22T13:24:34.047Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12798 (GCVE-0-2026-12798)

Vulnerability from cvelistv5 – Published: 2026-06-21 09:30 – Updated: 2026-06-22 17:14
VLAI
Title
BerriAI litellm MCP OpenAPI Spec Loader openapi_to_mcp_generator.py load_openapi_spec_async server-side request forgery
Summary
A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function load_openapi_spec_async of the file litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py of the component MCP OpenAPI Spec Loader. This manipulation of the argument spec_path causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-918 - Server-Side Request Forgery
Assigner
References
URL Tags
https://vuldb.com/vuln/372560 vdb-entrytechnical-description
https://vuldb.com/vuln/372560/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12798 third-party-advisory
https://vuldb.com/submit/811290 third-party-advisory
https://gist.github.com/YLChen-007/c1104c52997569… exploit
Impacted products
Vendor Product Version
BerriAI litellm Affected: 1.82.0
Affected: 1.82.1
Affected: 1.82.2
    cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Eric-c (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12798",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T17:14:11.598867Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T17:14:45.929Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "MCP OpenAPI Spec Loader"
          ],
          "product": "litellm",
          "vendor": "BerriAI",
          "versions": [
            {
              "status": "affected",
              "version": "1.82.0"
            },
            {
              "status": "affected",
              "version": "1.82.1"
            },
            {
              "status": "affected",
              "version": "1.82.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Eric-c (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function load_openapi_spec_async of the file litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py of the component MCP OpenAPI Spec Loader. This manipulation of the argument spec_path causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "Server-Side Request Forgery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-21T09:30:08.242Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-372560 | BerriAI litellm MCP OpenAPI Spec Loader openapi_to_mcp_generator.py load_openapi_spec_async server-side request forgery",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/372560"
        },
        {
          "name": "VDB-372560 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/372560/cti"
        },
        {
          "name": "CVE-2026-12798 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12798"
        },
        {
          "name": "Submit #811290 | litellm latest Server-Side Request Forgery (SSRF) (CWE-918)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/811290"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gist.github.com/YLChen-007/c1104c529975699ba347feedfbe02c5a"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-20T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-20T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-20T19:17:39.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "BerriAI litellm MCP OpenAPI Spec Loader openapi_to_mcp_generator.py load_openapi_spec_async server-side request forgery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12798",
    "datePublished": "2026-06-21T09:30:08.242Z",
    "dateReserved": "2026-06-20T17:12:20.743Z",
    "dateUpdated": "2026-06-22T17:14:45.929Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12774 (GCVE-0-2026-12774)

Vulnerability from cvelistv5 – Published: 2026-06-21 03:45 – Updated: 2026-06-22 10:57
VLAI
Title
BerriAI litellm MCP Server Connection Testing rest_endpoints.py _execute_with_mcp_client server-side request forgery
Summary
A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function _execute_with_mcp_client of the file litellm/proxy/_experimental/mcp_server/rest_endpoints.py of the component MCP Server Connection Testing. The manipulation leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-918 - Server-Side Request Forgery
Assigner
References
URL Tags
https://vuldb.com/vuln/372516 vdb-entrytechnical-description
https://vuldb.com/vuln/372516/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12774 third-party-advisory
https://vuldb.com/submit/811285 third-party-advisory
https://gist.github.com/YLChen-007/256c8ff0750e29… exploit
Impacted products
Vendor Product Version
BerriAI litellm Affected: 1.82.0
Affected: 1.82.1
Affected: 1.82.2
    cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Eric-c (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12774",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T10:57:26.092177Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T10:57:42.425Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "MCP Server Connection Testing"
          ],
          "product": "litellm",
          "vendor": "BerriAI",
          "versions": [
            {
              "status": "affected",
              "version": "1.82.0"
            },
            {
              "status": "affected",
              "version": "1.82.1"
            },
            {
              "status": "affected",
              "version": "1.82.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Eric-c (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function _execute_with_mcp_client of the file litellm/proxy/_experimental/mcp_server/rest_endpoints.py of the component MCP Server Connection Testing. The manipulation leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "Server-Side Request Forgery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-21T03:45:06.835Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-372516 | BerriAI litellm MCP Server Connection Testing rest_endpoints.py _execute_with_mcp_client server-side request forgery",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/372516"
        },
        {
          "name": "VDB-372516 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/372516/cti"
        },
        {
          "name": "CVE-2026-12774 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12774"
        },
        {
          "name": "Submit #811285 | litellm \u003c= 1.82.2 Server-Side Request Forgery (SSRF) (CWE-918)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/811285"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gist.github.com/YLChen-007/256c8ff0750e298f89b6b287c90c2981"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-20T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-20T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-20T11:31:45.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "BerriAI litellm MCP Server Connection Testing rest_endpoints.py _execute_with_mcp_client server-side request forgery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12774",
    "datePublished": "2026-06-21T03:45:06.835Z",
    "dateReserved": "2026-06-20T09:26:29.098Z",
    "dateUpdated": "2026-06-22T10:57:42.425Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12726 (GCVE-0-2026-12726)

Vulnerability from cvelistv5 – Published: 2026-06-19 18:49 – Updated: 2026-06-22 17:08
VLAI
Title
Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential
Summary
A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
URL Tags
https://access.redhat.com/security/cve/CVE-2026-12726 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2490796 issue-trackingx_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
Create a notification for this product.
Date Public
2026-06-19 14:40
Credits
Red Hat would like to thank Martin Brodeur (FluentLogic) for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12726",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T17:08:33.221112Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T17:08:43.067Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2"
          ],
          "defaultStatus": "affected",
          "packageName": "ansible-automation-platform-26/controller-rhel9",
          "product": "Red Hat Ansible Automation Platform 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2"
          ],
          "defaultStatus": "affected",
          "packageName": "ansible-automation-platform-27/controller-rhel9",
          "product": "Red Hat Ansible Automation Platform 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2"
          ],
          "defaultStatus": "affected",
          "packageName": "automation-controller",
          "product": "Red Hat Ansible Automation Platform 2",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Martin Brodeur (FluentLogic) for reporting this issue."
        }
      ],
      "datePublic": "2026-06-19T14:40:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template\u0027s webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-19T18:49:55.376Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-12726"
        },
        {
          "name": "RHBZ#2490796",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490796"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-24T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-06-19T14:40:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential",
      "workarounds": [
        {
          "lang": "en",
          "value": "The following practices may reduce exposure to this flaw until a fix is available:\n1. Restrict network access to controller webhook endpoints so only trusted GitHub egress IPs or an approved reverse proxy can reach them.\n2. Protect job template webhook keys as secrets; restrict Job Template admin access; rotate webhook keys if compromise is suspected.\n3. If commit status callback to GitHub is not required, configure GitHub webhooks without a webhook_credential on the job template (this disables PAT transmission on job completion).\n4. Monitor controller logs and outbound connections for unexpected callback destinations following webhook-triggered jobs."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-918: Server-Side Request Forgery (SSRF)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-12726",
    "datePublished": "2026-06-19T18:49:55.376Z",
    "dateReserved": "2026-06-19T15:05:52.078Z",
    "dateUpdated": "2026-06-22T17:08:43.067Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12566 (GCVE-0-2026-12566)

Vulnerability from cvelistv5 – Published: 2026-06-17 21:48 – Updated: 2026-06-18 12:50
VLAI
Title
SSRF via unvalidated WWW-Authenticate realm in docker_pull module
Summary
The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication request to an arbitrary endpoint, potentially leaking authentication tokens.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
Impacted products
Vendor Product Version
Black Lantern Security BBOT Affected: 2.0.0 , ≤ <=2.8.4 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12566",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T12:50:29.407349Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T12:50:35.439Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BBOT",
          "repo": "https://github.com/blacklanternsecurity/bbot",
          "vendor": "Black Lantern Security",
          "versions": [
            {
              "lessThanOrEqual": "\u003c=2.8.4",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The docker_pull module uses the realm parameter from a Docker registry\u0027s WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication request to an arbitrary endpoint, potentially leaking authentication tokens."
            }
          ],
          "value": "The docker_pull module uses the realm parameter from a Docker registry\u0027s WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication request to an arbitrary endpoint, potentially leaking authentication tokens."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T21:48:57.632Z",
        "orgId": "27b6da8a-f51d-48d9-9eef-9b7f3405d20d",
        "shortName": "BLSOPS"
      },
      "references": [
        {
          "url": "https://github.com/blacklanternsecurity/bbot/commit/c2f4bc0f4"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "SSRF via unvalidated WWW-Authenticate realm in docker_pull module",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "27b6da8a-f51d-48d9-9eef-9b7f3405d20d",
    "assignerShortName": "BLSOPS",
    "cveId": "CVE-2026-12566",
    "datePublished": "2026-06-17T21:48:57.632Z",
    "dateReserved": "2026-06-17T21:45:54.435Z",
    "dateUpdated": "2026-06-18T12:50:35.439Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12473 (GCVE-0-2026-12473)

Vulnerability from cvelistv5 – Published: 2026-06-25 20:38 – Updated: 2026-06-26 13:05
VLAI
Title
OHIF Viewers DICOM Server-Side request forgery
Summary
Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-918 - Server-Side request forgery (SSRF)
Assigner
Impacted products
Date Public
2026-06-25 17:00
Credits
Simon Weber and Volker Schönefeld of Machine Spirits UG reported this vulnerability to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12473",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T13:05:47.331920Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T13:05:53.810Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DICOM Web Viewer Framework",
          "vendor": "Open Health Imaging Foundation (OHIF)",
          "versions": [
            {
              "lessThanOrEqual": "v3.12.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Simon Weber and Volker Sch\u00f6nefeld of Machine Spirits UG reported this vulnerability to CISA."
        }
      ],
      "datePublic": "2026-06-25T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user\u0027s OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted."
            }
          ],
          "value": "Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user\u0027s OIDC Bearer token into the resulting requests, sending it to the attacker-controlled server. DICOMweb data sources are not impacted."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side request forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T20:38:32.998Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsma-26-176-02"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-176-02.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The maintainer has fixed the reported vulnerability and released version 3.12.2 (2026-05-18). The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12).\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to v3.12.2 or later. Operators who need dicomwebproxy or dicomjson in authenticated deployments must additionally configure the new dangerouslyAllowedOriginsForAuthenticatedEnvironments allowlist in app-config.js.\u0026nbsp;"
            }
          ],
          "value": "The maintainer has fixed the reported vulnerability and released version 3.12.2 (2026-05-18). The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12).\n\nUsers are recommended to upgrade to v3.12.2 or later. Operators who need dicomwebproxy or dicomjson in authenticated deployments must additionally configure the new dangerouslyAllowedOriginsForAuthenticatedEnvironments allowlist in app-config.js."
        }
      ],
      "source": {
        "advisory": "ICSMA-26-176-02",
        "discovery": "EXTERNAL"
      },
      "title": "OHIF Viewers DICOM Server-Side request forgery",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Users running OHIF with authentication should remove ALL unused DicomWebProxyDataSource and DicomJSONDataSource configurations from the configuration file they are deploying with."
            }
          ],
          "value": "Users running OHIF with authentication should remove ALL unused DicomWebProxyDataSource and DicomJSONDataSource configurations from the configuration file they are deploying with."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:\n\u003cbr\u003e\u003cul\u003e\u003cli\u003eMinimize network exposure for all control system devices and/or \nsystems, ensuring they are not accessible from the \ninternet. \u003ca href=\"https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01\"\u003ehttps://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01\u003c/a\u003e\u0026nbsp;\u003c/li\u003e\u003cli\u003eLocate control system networks and remote devices behind firewalls and isolating them from business networks.\n\u003c/li\u003e\u003cli\u003eWhen remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have \nvulnerabilities and should be updated to the most current version \navailable. Also recognize VPN is only as secure as the connected \ndevices.\n\n\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:\n\n  *  Minimize network exposure for all control system devices and/or \nsystems, ensuring they are not accessible from the \ninternet.  https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 \u00a0\n  *  Locate control system networks and remote devices behind firewalls and isolating them from business networks.\n\n  *  When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have \nvulnerabilities and should be updated to the most current version \navailable. Also recognize VPN is only as secure as the connected \ndevices."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-12473",
    "datePublished": "2026-06-25T20:38:32.998Z",
    "dateReserved": "2026-06-16T20:16:53.716Z",
    "dateUpdated": "2026-06-26T13:05:53.810Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12210 (GCVE-0-2026-12210)

Vulnerability from cvelistv5 – Published: 2026-06-15 02:30 – Updated: 2026-06-15 13:19
VLAI
Title
universal-tool-calling-protocol python-utcp utcp-gql/utcp-websocket server-side request forgery
Summary
A vulnerability was detected in universal-tool-calling-protocol python-utcp 1.1.0. This affects an unknown function of the component utcp-gql/utcp-websocket. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-918 - Server-Side Request Forgery
Assigner
Impacted products
Vendor Product Version
universal-tool-calling-protocol python-utcp Affected: 1.1.0
    cpe:2.3:a:universal-tool-calling-protocol:python-utcp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
gola (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12210",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T13:19:45.321990Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T13:19:52.875Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:universal-tool-calling-protocol:python-utcp:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "utcp-gql/utcp-websocket"
          ],
          "product": "python-utcp",
          "vendor": "universal-tool-calling-protocol",
          "versions": [
            {
              "status": "affected",
              "version": "1.1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "gola (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in universal-tool-calling-protocol python-utcp 1.1.0. This affects an unknown function of the component utcp-gql/utcp-websocket. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "Server-Side Request Forgery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T02:30:10.150Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-370852 | universal-tool-calling-protocol python-utcp utcp-gql/utcp-websocket server-side request forgery",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/vuln/370852"
        },
        {
          "name": "VDB-370852 | CTI Indicators (IOB, IOC)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/370852/cti"
        },
        {
          "name": "CVE-2026-12210 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-12210"
        },
        {
          "name": "Submit #832542 | universal-tool-calling-protocol python-utcp 1.1.0 Improper Input Validation",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/832542"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/universal-tool-calling-protocol/python-utcp/issues/86"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/gola-leya/cve_submit/issues/1"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/universal-tool-calling-protocol/python-utcp/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-06-14T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-06-14T14:35:09.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "universal-tool-calling-protocol python-utcp utcp-gql/utcp-websocket server-side request forgery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-12210",
    "datePublished": "2026-06-15T02:30:10.150Z",
    "dateReserved": "2026-06-14T12:30:06.444Z",
    "dateUpdated": "2026-06-15T13:19:52.875Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12123 (GCVE-0-2026-12123)

Vulnerability from cvelistv5 – Published: 2026-07-10 05:34 – Updated: 2026-07-10 14:35
VLAI
Title
All-in-One Video Gallery <= 4.8.5 - Authenticated (Subscriber+) Server-Side Request Forgery via 'vdl' Parameter
Summary
The All-in-One Video Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.8.5 via the 'vdl' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. A Subscriber-level attacker can plant an internal or loopback URL in the `mp4` post meta of a newly created `aiovg_videos` post via XML-RPC `wp.newPost`, then trigger the unauthenticated `?vdl=<post_id>` endpoint to force the server to fetch that URL and stream the full response body back to the requester.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
Impacted products
Vendor Product Version
plugins360 All-in-One Video Gallery Affected: 0 , ≤ 4.8.5 (semver)
Create a notification for this product.
Credits
KoreaInfoSec
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12123",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T14:35:19.444626Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T14:35:37.311Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "All-in-One Video Gallery",
          "vendor": "plugins360",
          "versions": [
            {
              "lessThanOrEqual": "4.8.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "KoreaInfoSec"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The All-in-One Video Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.8.5 via the \u0027vdl\u0027 parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. A Subscriber-level attacker can plant an internal or loopback URL in the `mp4` post meta of a newly created `aiovg_videos` post via XML-RPC `wp.newPost`, then trigger the unauthenticated `?vdl=\u003cpost_id\u003e` endpoint to force the server to fetch that URL and stream the full response body back to the requester."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T05:34:04.429Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3bb454c-ac0e-4915-8c6e-070596f7595a?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.8.5/public/video.php#L904"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.8.5/public/video.php#L724"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.8.5/public/video.php#L758"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.8.5/public/video.php#L681"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.8.5/includes/roles.php#L70"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.5/public/video.php#L904"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.5/public/video.php#L724"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.5/public/video.php#L758"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.5/public/video.php#L681"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.5/includes/roles.php#L70"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3582575"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-12T15:26:40.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-09T16:59:54.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "All-in-One Video Gallery \u003c= 4.8.5 - Authenticated (Subscriber+) Server-Side Request Forgery via \u0027vdl\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12123",
    "datePublished": "2026-07-10T05:34:04.429Z",
    "dateReserved": "2026-06-12T15:11:28.352Z",
    "dateUpdated": "2026-07-10T14:35:37.311Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12100 (GCVE-0-2026-12100)

Vulnerability from cvelistv5 – Published: 2026-06-24 05:33 – Updated: 2026-06-24 12:52
VLAI
Title
URL Preview <= 1.0 - Unauthenticated Server-Side Request Forgery via 'url' Parameter
Summary
The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the 'url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
Impacted products
Vendor Product Version
abhisheksaha11 URL Preview Affected: 0 , ≤ 1.0 (semver)
Create a notification for this product.
Credits
YU-SHENG YU
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12100",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T12:52:28.426687Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T12:52:41.256Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "URL Preview",
          "vendor": "abhisheksaha11",
          "versions": [
            {
              "lessThanOrEqual": "1.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "YU-SHENG YU"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the \u0027url\u0027 parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T05:33:21.641Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05de038f-eff4-4b00-930c-3d2335345869?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/link-preview/trunk/class.linkpreview.php#L30"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/link-preview/trunk/class.linkpreview.php#L112"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-23T16:41:58.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "URL Preview \u003c= 1.0 - Unauthenticated Server-Side Request Forgery via \u0027url\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12100",
    "datePublished": "2026-06-24T05:33:21.641Z",
    "dateReserved": "2026-06-12T14:20:00.585Z",
    "dateUpdated": "2026-06-24T12:52:41.256Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.