Offensive Sequence4d ago
🚨 CVE-2026-32301: Centrifugo < 6.7.0 has a CRITICAL SSRF flaw — unauthenticated attackers can force outbound requests via dynamic JWKS URLs (e.g., using {{tenant}}). Upgrade ASAP & lock down configs! https://radar.offseq.com/threat/cve-2026-32301-cwe-918-server-side-request-forgery-6022b45c #OffSeq #SSRF #Centrifugo #Vuln
Offensive Sequence5d ago
🚨 CVE-2026-32096: CRITICAL SSRF in Plunk < 0.7.0 lets unauthenticated attackers trigger arbitrary outbound HTTP requests via SNS webhook. Upgrade to 0.7.0+ ASAP. Monitor egress and review webhook configs. https://radar.offseq.com/threat/cve-2026-32096-cwe-918-server-side-request-forgery-4e688d7e #OffSeq #SSRF #CloudSecurity
Anastasis Vasileiadis6d ago

🔎 Cybersecurity Challenge #6 – Spot the Vulnerability

This application fetches an image from a URL provided by the user. Sounds harmless, right? 👨‍💻

But allowing servers to request external resources based on user input can sometimes open the door to dangerous attacks.

Take a closer look at how the URL is validated and how the request is made.

⚠️ Is the validation strong enough?

Question: What security vulnerability exists in this code?

A) SQL Injection
B) Server-Side Request Forgery (SSRF)
C) External XML Entity (XXE)
D) URL Redirection

💬 Comment your answer and tell us which line reveals the vulnerability!

In the next post, I’ll reveal the correct answer and explain how attackers could exploit it in real-world environments.

#cybersecurity #infosec #ethicalhacking #websecurity #bugbounty #securecoding #CyberKid #securitychallenge #SSRF

Offensive SequenceMar 8
🔔 CRITICAL CVE-2026-30832: charmbracelet soft-serve (0.6.0 – 0.11.4) allows authenticated SSH users to exploit SSRF via repo import, exposing internal resources. Update to 0.11.4+ now. More: https://radar.offseq.com/threat/cve-2026-30832-cwe-918-server-side-request-forgery-01aea4d4 #OffSeq #SSRF #Vulnerability
Offensive SequenceFeb 24
🔍 HIGH severity: CVE-2026-27127 in Craft CMS (4.5.0-RC1 – 4.16.18, 5.0.0-RC1 – 5.8.22) enables DNS rebinding via TOCTOU in GraphQL Asset mutation. Patch to 4.16.19/5.8.23+ & review GraphQL permissions. https://radar.offseq.com/threat/cve-2026-27127-cwe-367-time-of-check-time-of-use-t-5842a733 #OffSeq #CraftCMS #SSRF #Vuln
Offensive SequenceFeb 19
🔎 CRITICAL: CVE-2026-26339 in Hyland Alfresco Transformation Service (Enterprise) enables unauthenticated SSRF → RCE. Restrict access, monitor for abuse, patch ASAP. All versions at risk. https://radar.offseq.com/threat/cve-2026-26339-cwe-918-server-side-request-forgery-f1de4ab8 #OffSeq #CVE202626339 #SSRF #RCE #Alfresco
Offensive SequenceFeb 18
⚠️ CVE-2026-22048: HIGH-severity SSRF in NETAPP StorageGRID (pre-11.9.0.12, 12.0.0.4) with SSO + Entra ID. Authenticated attackers can delete configs/deny access. Patch or disable SSO now. https://radar.offseq.com/threat/cve-2026-22048-918-in-netapp-storagegrid-formerly--5c913f90 #OffSeq #NETAPP #SSRF #Vulnerability
Bug Bounty ShortsFeb 17

SSRF Vulnerability and Detecting It With AI, Enter See-SURF!!
This vulnerability was an SSRF (Server Side Request Forgery) issue found in a web application. The application failed to validate external URL requests within specific APIs, allowing attackers to execute arbitrary HTTP/HTTPS requests to internal or external hosts. The researcher discovered the flaw by sending crafted URLs as API parameters, which were not properly restricted. By constructing a payload containing the Google DNS server (8.8.8.8), the researcher was able to perform SSRF and exfiltrate internal data using an AI-based tool called See-SURF. The system's trust in user-supplied URLs for API requests led to this issue. Real-world consequences include data leaks, lateral movement, and potential unauthorized access. To fix, implement proper input validation and sanitization on all external URL requests. Key lesson: Validate external URLs during API calls and be wary of SSRF attacks that can exploit internal resources. #BugBounty #Cybersecurity #WebSecurity #SSRF #InfoSec

https://medium.com/@in3tinct/ssrf-vulnerability-and-detecting-it-with-ai-enter-see-surf-f519b19c9d36?source=rss------bug_bounty-5

SSRF Vulnerability and Detecting It With AI, Enter See-SURF!!

In the modern web, servers are no longer just static vaults, they are talkative agents. As traditional They fetch images from URLs, query…

Medium
HabrFeb 15

Как я написал Telegram-бота для SEO-аудита и не дал ему стать инструментом для атак

Рекомендация по КДПВ: Практический гайд по созданию Telegram-бота для автоматизированного анализа сайта: broken links, базовый security-check, отчёты. Минимум теории — максимум рабочего кода.

https://habr.com/ru/articles/996844/

#Telegram_бот #Python #SSRF #rate_limiting #Redis #SEO_аудит #БаденБаден #pyTelegramBotAPI #DNS_rebinding #битые_ссылки

Как я написал Telegram-бота для SEO-аудита и не дал ему стать инструментом для атак

Вступление (до ката) Проверить мета-теги на одной странице — дело пяти минут. Найти битые ссылки на сайте из 500 страниц — уже задача на вечер. А если нужно ещё проанализировать тексты на...

Хабр
Offensive SequenceFeb 15
SSRF vulnerability (HIGH, CVE-2026-0745) in WordPress User Language Switch plugin (all versions). Admin-level users can access internal services. Audit, limit admin access, and monitor for suspicious requests. No patch yet. https://radar.offseq.com/threat/cve-2026-0745-cwe-918-server-side-request-forgery--d2649c34 #OffSeq #WordPress #SSRF