Skip to main content

News

6 CVEs product

Monthly

CVE-2026-44515 LOW PATCH Monitor

Blind Server-Side Request Forgery in Nextcloud News prior to 28.3.0-beta.1 allows low-privileged authenticated users to weaponize the feed URL submission feature - available via both the web interface and API - to coerce the Nextcloud server into making outbound HTTP requests to attacker-specified internal or private IP ranges, including localhost. Response content is never relayed back to the attacker, constraining this to a reconnaissance primitive rather than a data-exfiltration channel. No public exploit has been identified at time of analysis, EPSS sits at 0.04% (12th percentile), and CISA has not listed this in KEV, collectively indicating a low-probability real-world exploitation scenario.

SSRF Nextcloud News
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2021-41256 HIGH POC PATCH This Week

nextcloud news-android is an Android client for the Nextcloud news/feed reader app. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Google Nextcloud Information Disclosure News
NVD GitHub
CVSS 3.1
7.1
EPSS
1.1%
CVE-2019-12724 MEDIUM PATCH This Month

An issue was discovered in the Teclib News plugin through 1.5.2 for GLPI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS News
NVD GitHub
CVSS 3.1
6.1
EPSS
1.2%
CVE-2017-15982 CRITICAL POC Act Now

Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP News
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
1.1%
CVE-2014-6290 HIGH PATCH This Week

The News (tt_news) extension before 3.5.2 for TYPO3 allows remote attackers to have unspecified impact via vectors related to an "insecure unserialize" issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Deserialization News
NVD
CVSS 2.0
7.5
EPSS
0.6%
CVE-2013-4748 PHP HIGH PATCH This Week

SQL injection vulnerability in the News system (news) extension before 1.3.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi News
NVD
CVSS 2.0
7.5
EPSS
0.4%
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Blind Server-Side Request Forgery in Nextcloud News prior to 28.3.0-beta.1 allows low-privileged authenticated users to weaponize the feed URL submission feature - available via both the web interface and API - to coerce the Nextcloud server into making outbound HTTP requests to attacker-specified internal or private IP ranges, including localhost. Response content is never relayed back to the attacker, constraining this to a reconnaissance primitive rather than a data-exfiltration channel. No public exploit has been identified at time of analysis, EPSS sits at 0.04% (12th percentile), and CISA has not listed this in KEV, collectively indicating a low-probability real-world exploitation scenario.

SSRF Nextcloud News
NVD GitHub
EPSS 1% CVSS 7.1
HIGH POC PATCH This Week

nextcloud news-android is an Android client for the Nextcloud news/feed reader app. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Google Nextcloud Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

An issue was discovered in the Teclib News plugin through 1.5.2 for GLPI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS News
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP News
NVD Exploit-DB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The News (tt_news) extension before 3.5.2 for TYPO3 allows remote attackers to have unspecified impact via vectors related to an "insecure unserialize" issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Deserialization News
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

SQL injection vulnerability in the News system (news) extension before 1.3.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi News
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy