Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    GHSA-JH67-HWQW-M5R7

    Vulnerability from github – Published: 2026-05-19 15:16 – Updated: 2026-05-19 15:16
    VLAI
    Summary
    rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths
    Details

    Summary

    Alice exposes a Python SDK ProxyShare with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to urllib.parse.urljoin, which replaces Alice's configured target host with Bob's host and returns the server-side response to Bob.

    Details

    The Python SDK proxy route accepts every path under the share:

    @app.route('/', defaults={'path': ''}, methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'])
    @app.route('/<path:path>', methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'])
    def proxy(path):
    

    It constructs the outbound URL with urljoin and then sends the request:

    url = urllib.parse.urljoin(self.target, path)
    resp = requests.request(
        method=request.method,
        url=url,
        headers={key: value for (key, value) in request.headers
                 if key.lower() not in HOP_BY_HOP_HEADERS},
        data=request.get_data(),
        cookies=request.cookies,
        allow_redirects=False,
        stream=True,
        verify=self.verify_ssl
    )
    

    When path is [http://127.0.0.1:19190/metadata](http://127.0.0.1:19190/metadata%60), urljoin(self.target, path) returns [http://127.0.0.1:19190/metadata](http://127.0.0.1:19190/metadata%60). The proxy sends the request to Bob's chosen URL rather than Alice's target.

    Show details on source website

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "zrok"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0.4.47"
                },
                {
                  "last_affected": "1.1.11"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ]
        }
      ],
      "aliases": [
        "CVE-2026-45568"
      ],
      "database_specific": {
        "cwe_ids": [
          "CWE-22"
        ],
        "github_reviewed": true,
        "github_reviewed_at": "2026-05-19T15:16:08Z",
        "nvd_published_at": null,
        "severity": "CRITICAL"
      },
      "details": "## Summary\n\nAlice exposes a Python SDK `ProxyShare` with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to `urllib.parse.urljoin`, which replaces Alice\u0027s configured target host with Bob\u0027s host and returns the server-side response to Bob.\n\n## Details\n\nThe Python SDK proxy route accepts every path under the share:\n\n```python\n@app.route(\u0027/\u0027, defaults={\u0027path\u0027: \u0027\u0027}, methods=[\u0027GET\u0027, \u0027POST\u0027, \u0027PUT\u0027, \u0027DELETE\u0027, \u0027PATCH\u0027, \u0027OPTIONS\u0027])\n@app.route(\u0027/\u003cpath:path\u003e\u0027, methods=[\u0027GET\u0027, \u0027POST\u0027, \u0027PUT\u0027, \u0027DELETE\u0027, \u0027PATCH\u0027, \u0027OPTIONS\u0027])\ndef proxy(path):\n```\n\nIt constructs the outbound URL with `urljoin` and then sends the request:\n\n```python\nurl = urllib.parse.urljoin(self.target, path)\nresp = requests.request(\n    method=request.method,\n    url=url,\n    headers={key: value for (key, value) in request.headers\n             if key.lower() not in HOP_BY_HOP_HEADERS},\n    data=request.get_data(),\n    cookies=request.cookies,\n    allow_redirects=False,\n    stream=True,\n    verify=self.verify_ssl\n)\n```\n\nWhen `path` is `[http://127.0.0.1:19190/metadata`](http://127.0.0.1:19190/metadata%60), `urljoin(self.target, path)` returns `[http://127.0.0.1:19190/metadata`](http://127.0.0.1:19190/metadata%60). The proxy sends the request to Bob\u0027s chosen URL rather than Alice\u0027s target.",
      "id": "GHSA-jh67-hwqw-m5r7",
      "modified": "2026-05-19T15:16:08Z",
      "published": "2026-05-19T15:16:08Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/openziti/zrok/security/advisories/GHSA-jh67-hwqw-m5r7"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/openziti/zrok"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L",
          "type": "CVSS_V4"
        }
      ],
      "summary": "rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths"
    }

    PYSEC-2026-577

    Vulnerability from pysec - Published: 2026-06-29 11:50 - Updated: 2026-07-01 20:23
    VLAI
    Details

    Summary

    Alice exposes a Python SDK ProxyShare with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to urllib.parse.urljoin, which replaces Alice's configured target host with Bob's host and returns the server-side response to Bob.

    Details

    The Python SDK proxy route accepts every path under the share:

    @app.route('/', defaults={'path': ''}, methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'])
    @app.route('/<path:path>', methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'])
    def proxy(path):
    

    It constructs the outbound URL with urljoin and then sends the request:

    url = urllib.parse.urljoin(self.target, path)
    resp = requests.request(
        method=request.method,
        url=url,
        headers={key: value for (key, value) in request.headers
                 if key.lower() not in HOP_BY_HOP_HEADERS},
        data=request.get_data(),
        cookies=request.cookies,
        allow_redirects=False,
        stream=True,
        verify=self.verify_ssl
    )
    

    When path is [http://127.0.0.1:19190/metadata](http://127.0.0.1:19190/metadata%60), urljoin(self.target, path) returns [http://127.0.0.1:19190/metadata](http://127.0.0.1:19190/metadata%60). The proxy sends the request to Bob's chosen URL rather than Alice's target.

    Impacted products
    Name purl
    zrok pkg:pypi/zrok

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "zrok",
            "purl": "pkg:pypi/zrok"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0.4.47"
                },
                {
                  "last_affected": "1.1.11"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "0.4.47",
            "0.4.48",
            "0.4.49",
            "1.0.0",
            "1.0.1",
            "1.0.2",
            "1.0.3",
            "1.0.4",
            "1.0.5",
            "1.0.6",
            "1.0.7",
            "1.0.8",
            "1.1.0",
            "1.1.1",
            "1.1.10",
            "1.1.11",
            "1.1.2",
            "1.1.3",
            "1.1.5",
            "1.1.7",
            "1.1.8",
            "1.1.9"
          ]
        }
      ],
      "aliases": [
        "CVE-2026-45568",
        "GHSA-jh67-hwqw-m5r7"
      ],
      "details": "## Summary\n\nAlice exposes a Python SDK `ProxyShare` with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to `urllib.parse.urljoin`, which replaces Alice\u0027s configured target host with Bob\u0027s host and returns the server-side response to Bob.\n\n## Details\n \nThe Python SDK proxy route accepts every path under the share:\n\n```python\n@app.route(\u0027/\u0027, defaults={\u0027path\u0027: \u0027\u0027}, methods=[\u0027GET\u0027, \u0027POST\u0027, \u0027PUT\u0027, \u0027DELETE\u0027, \u0027PATCH\u0027, \u0027OPTIONS\u0027])\n@app.route(\u0027/\u003cpath:path\u003e\u0027, methods=[\u0027GET\u0027, \u0027POST\u0027, \u0027PUT\u0027, \u0027DELETE\u0027, \u0027PATCH\u0027, \u0027OPTIONS\u0027])\ndef proxy(path):\n```\n\nIt constructs the outbound URL with `urljoin` and then sends the request:\n\n```python\nurl = urllib.parse.urljoin(self.target, path)\nresp = requests.request(\n    method=request.method,\n    url=url,\n    headers={key: value for (key, value) in request.headers\n             if key.lower() not in HOP_BY_HOP_HEADERS},\n    data=request.get_data(),\n    cookies=request.cookies,\n    allow_redirects=False,\n    stream=True,\n    verify=self.verify_ssl\n)\n```\n\nWhen `path` is `[http://127.0.0.1:19190/metadata`](http://127.0.0.1:19190/metadata%60), `urljoin(self.target, path)` returns `[http://127.0.0.1:19190/metadata`](http://127.0.0.1:19190/metadata%60). The proxy sends the request to Bob\u0027s chosen URL rather than Alice\u0027s target.",
      "id": "PYSEC-2026-577",
      "modified": "2026-07-01T20:23:12.283893Z",
      "published": "2026-06-29T11:50:50.353793Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/openziti/zrok/security/advisories/GHSA-jh67-hwqw-m5r7"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/openziti/zrok"
        },
        {
          "type": "PACKAGE",
          "url": "https://pypi.org/project/zrok"
        },
        {
          "type": "ADVISORY",
          "url": "https://github.com/advisories/GHSA-jh67-hwqw-m5r7"
        },
        {
          "type": "ADVISORY",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45568"
        }
      ],
      "severity": [
        {
          "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L",
          "type": "CVSS_V4"
        }
      ],
      "summary": "rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths"
    }