Summary
PraisonAI: Server-Side Request Forgery (SSRF) in SearxNG / search_web tools via attacker-controlled searxng_url parameter
References
Related vulnerabilities
All Supply chain →- MEDIUMGHSA-GXG4-2RRR-JHC7
OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently
- LOWGHSA-3MP7-VP6J-2MXX
BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing
- MEDIUMGHSA-Q59X-JC9F-GFQF
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints
- HIGHGHSA-WM69-2PC3-RMMF
Crawl4AI: Unauthenticated SSRF on the Docker server streaming crawl path (/crawl/stream)
- MEDIUMGHSA-FJV8-J4P5-CR9M
Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape
- HIGHGHSA-P6GQ-J5CR-W38F
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message