Redis

Two-layer blind SSRF in Crawlee for Python (pip/crawlee >= 1.0.0, < 1.7.0) allows an attacker who controls a sitemap or robots.txt file to force the crawler to issue HTTP requests against internal network services (layer 1, all HTTP clients), and - when CurlImpersonateHttpClient is configured - to dispatch non-HTTP scheme requests including gopher://, file://, dict://, and ftp:// (layer 2). The layer 2 escalation enables canonical Redis exploitation via gopher://, making RCE on unauthenticated internal Redis instances achievable from a public-facing crawler. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the researcher-credited advisory details a fully articulated attack path including Redis RCE.

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features.

Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.

Missing Redis cache invalidation in Budibase's public API role unassignment endpoint allows users with revoked admin, builder, or app-level privileges to retain full access for up to 1 hour (the hardcoded Redis TTL of 3600 seconds). Affected deployments are Budibase versions prior to 3.38.2 running an enterprise license, where the `POST /api/public/v1/roles/unassign` endpoint writes revocations to CouchDB but never calls `cache.user.invalidateUser()`, leaving the authentication middleware to serve stale permissions from Redis. Publicly available exploit code exists within the GHSA-6vp2-6r7m-2jvx advisory; no confirmed active exploitation (not listed in CISA KEV at time of analysis).

{id}/html-check`, making this a zero-credential pivot primitive into internal infrastructure. Publicly available exploit code exists; no confirmed active exploitation in CISA KEV at time of analysis.

Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6).

Insecure deserialization in Significant-Gravitas AutoGPT platform versions 0.6.34 through 0.6.51 lets an attacker who can poison entries in the shared Redis cache achieve arbitrary command execution inside the backend container. The backend's read path invokes pickle.loads on cache bytes with no HMAC, signature, or schema gate, so any attacker-controlled value reaching that key becomes code on retrieval. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the vendor shipped a fix in autogpt-platform-beta-v0.6.52.

OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 forwards raw Redis error replies verbatim into OTLP span status messages, enabling both information disclosure and telemetry injection against any deployment tracing Redis traffic. The `getRedisError` function in `pkg/ebpf/common/redis_detect_transform.go` applies only CRLF trimming before storing error text directly into `request.DBError.Description`, which `span.go` then exports as the span status message for every non-zero-status Redis span. A publicly available proof-of-concept demonstrates that caller-supplied values embedded in Redis error replies - including authentication credentials, tokens, and PII - are automatically propagated into OTLP collectors, dashboards, and log aggregators without requiring any special attacker position beyond the ability to trigger Redis errors. No public exploit identified at time of analysis beyond the included PoC; not in CISA KEV.

Authentication bypass in the ruby-jwt gem (versions < 3.2.0) allows remote attackers to forge valid HS256/HS384/HS512 tokens when an application supplies an empty string or nil as the verification key. Because OpenSSL::HMAC.digest happily computes a digest under an empty key and JWT::JWA::Hmac coerces nil to '' without validating, any application whose key lookup degrades to '' (common with Redis misses, ORM string defaults, or `ENV['SECRET'] || ''` patterns) will accept attacker-signed tokens. No public exploit identified at time of analysis, but the vendor advisory (GHSA-c32j-vqhx-rx3x) and the v3.2.0 patch confirm the issue and the trivial forgery primitive.

Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.

Server-Side Request Forgery in @utcp/http <= 1.1.1 allows remote attackers to redirect tool invocations to internal services via malicious OpenAPI specs. An attacker hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint can declare internal server URLs (e.g., http://127.0.0.1:9090 or http://169.254.169.254) in the servers array; the OpenApiConverter blindly trusts these URLs without revalidation during tool invocation, enabling access to cloud metadata endpoints, internal databases, and loopback services. Additionally, a prefix-bypass in hostname validation (startsWith check) allows URLs like http://localhost.evil.com to bypass discovery-time restrictions. Patch version 1.1.2 is available.

{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.

Server-Side Request Forgery (SSRF) in Open WebUI versions ≤0.8.12 allows authenticated users with OAuth access to force the server to make HTTP requests to arbitrary internal resources and exfiltrate complete response data. Exploitation requires OAuth-enabled deployments with ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true. An attacker controls the OAuth provider's 'picture' claim URL, triggering server-side HTTP requests to cloud metadata services (AWS IMDS), localhost services (Redis, Elasticsearch), or internal network endpoints. The full response is base64-encoded and stored in the user's profile_image_url field, enabling complete data exfiltration. Fixed in version 0.9.0 per GitHub advisory GHSA-24c9-2m8q-qhmh. EPSS data not available; no CISA KEV listing indicates limited widespread exploitation, though publicly available proof-of-concept exists in the GitHub advisory.

Cross-account email event leakage in Inbox Zero prior to 2.29.3 allows authenticated users of the cleaner feature to receive thread events intended for other authenticated accounts via a shared Redis subscription listener. The vulnerability requires both accounts to be actively using the cleaner feature simultaneously and affects only confidentiality of email metadata, with low attack complexity but requiring prior authentication and precise timing.

Server-Side Request Forgery in Budibase self-hosted instances allows authenticated Global Builder users to bypass SSRF protections via trivial substring manipulation in plugin URL uploads. The vulnerability exploits a flawed validation check that accepts any URL containing '.tar.gz' anywhere in the string, enabling requests to internal cloud metadata services (AWS IMDS at 169.254.169.254), CouchDB, Redis, and private network ranges when chained with the BLACKLIST_IPS bypass (CVE-2026-45060) or via HTTP redirect chains. CVSS 7.7 (High) with Changed Scope indicates cross-boundary impact from application to infrastructure layer. Vendor-released patch available in version 3.35.10 per GitHub security advisory GHSA-xh5j-727m-w6gg. EPSS data not available; no CISA KEV listing at time of analysis. Publicly available exploit code exists in researcher's GitHub repository with Docker-based proof-of-concept.

Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.

Server-Side Request Forgery in utcp-http allows remote attackers to access internal cloud metadata endpoints and firewalled services by hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint that declares internal server URLs, which are then blindly trusted during tool invocation without revalidation. The vulnerability affects utcp-http versions 1.1.1 and earlier, where `call_tool()` and `call_tool_streaming()` reuse previously resolved URLs from OpenAPI specs without re-checking security constraints, combined with a string-prefix bypass (`localhost.evil.com` bypassing `startswith` checks). This is a blind SSRF that exposes cloud metadata (AWS/GCP credentials from 169.254.169.254), internal services like Elasticsearch and Redis, and enables exfiltration via LLM responses when combined with prompt injection. No public exploit code or active exploitation is currently identified, but the vulnerability requires only network-level access and user interaction (convincing an LLM agent to register a malicious tool).

Server-Side Request Forgery (SSRF) in nuxt-og-image 6.2.5 through 6.4.8 allows remote attackers to bypass the incomplete IPv6 denylist and redirect validation, reaching internal IP addresses and services through incomplete IPv6 prefix filtering and unauthenticated HTTP redirect following. The vulnerability affects the OG image rendering component used by Nuxt applications, enabling attackers to leak internal service responses by injecting crafted IPv6-mapped addresses or chaining external redirects to internal targets.

CRLF injection in Netty's RedisEncoder allows remote command injection and response poisoning by injecting carriage return and line feed characters into InlineCommandRedisMessage, SimpleStringRedisMessage, and ErrorRedisMessage objects. Attackers can inject arbitrary Redis commands (such as CONFIG SET, FLUSHALL, or authentication bypass) or forge fake responses when user-controlled input is placed into these message types without sanitization. The vulnerability affects Netty 4.2.12.Final and all prior versions with the codec-redis module; no active exploitation has been reported in CISA KEV, but publicly available proof-of-concept code demonstrates the vulnerability.

Blind server-side request forgery (SSRF) in AVideo's donation webhook system allows authenticated users to configure webhook URLs pointing to internal/loopback/metadata services (127.0.0.1, 169.254.169.254, RFC1918 addresses). When any user donates via the CustomizeUser plugin, the AVideo server issues an unauthenticated POST request to the attacker-supplied URL without validating it against the codebase's existing isSSRFSafeURL() helper. The vulnerability is compounded by CURLOPT_FOLLOWLOCATION being enabled without per-hop revalidation, permitting HTTP 307 redirects from attacker-controlled hosts to bypass even future URL validation. CVSS 5.4 (network-accessible, requires authentication, low complexity); no public proof-of-concept or active KEV exploitation confirmed at analysis time, but the vulnerability is trivially exploitable with two attacker-controlled accounts and the PoC is fully documented in the advisory.

Heap-based buffer overflow in RedisBloom versions before 2.8.20 enables remote code execution via Redis RESTORE command when authenticated attackers supply malicious serialized payloads. The vulnerability stems from improper validation of deserialized data in the probabilistic data structures module. Exploitation requires Redis authentication and RESTORE command privileges (PR:L), with CVSS 7.7 rating reflecting the authentication requirement despite critical impact potential. No public exploit code or CISA KEV listing identified at time of analysis, though vendor has released security-focused patch 2.8.20.

Remote code execution in RedisTimeSeries versions before 1.12.14 allows authenticated attackers with RESTORE command permissions to execute arbitrary code via crafted serialized payloads. The vulnerability stems from improper validation of data processed through Redis RESTORE command, enabling heap buffer overflow exploitation. Attackers with low-level privileges can achieve complete system compromise (CVSS 7.7, CVSS:4.0 High confidentiality/integrity/availability impact) through network-based attacks with high complexity. No public exploit code or active exploitation confirmed at time of analysis.

Remote code execution in Redis server versions up to 8.6.3 allows authenticated attackers with RESTORE command privileges to execute arbitrary code by submitting maliciously crafted serialized payloads. The vulnerability stems from insufficient validation of serialized values in the RESTORE command, enabling heap-based buffer overflow conditions. Redis released version 8.6.3 to patch this flaw alongside four other critical RCE vulnerabilities. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted rather than widespread exploitation.

Redis-server with Lua scripting allows authenticated attackers to trigger a use-after-free vulnerability on replicas where replica-read-only is disabled, potentially leading to remote code execution. The vulnerability exploits the master-replica synchronization mechanism and is present in all versions prior to 8.6.3. Patch vendor-released patch: 8.6.3.

Use-after-free in Redis 7.2.0 through 8.6.2 allows authenticated attackers to achieve remote code execution by exploiting error handling in the unblock client flow. When a blocked client is evicted during command re-execution, the server fails to handle the error return from processCommandAndResetClient, triggering memory corruption. Redis has released version 8.6.3 with a security fix. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the critical RCE impact.

Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.

Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.

All four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1. **Authorization bypass on all four endpoints** (03_readonly_user_bypass.py) - PUT, GET list, GET arns, DELETE all return 200 for readonly-user - Control routes (list-users, kms/status) correctly return 403 - Unauthenticated requests correctly rejected (403 Signature required) 2. **SSRF via health probe** (04_ssrf_listener_landing.py) - HEAD request from rustfs container to attacker-controlled listener - No host validation: only scheme check (http/https) 3. **Target hijacking and event exfiltration** (05_target_hijacking.py, 06_full_event_exfil.py) - Readonly-user overwrites admin-configured target URL by name - Subsequent S3 events delivered to attacker-controlled endpoint - Captured event body includes object keys, bucket names, user identities, and request metadata 4. **Audit evasion** (05_target_hijacking.py) - Readonly-user can delete unbound targets - Readonly-user can overwrite bound targets (silently redirecting events) 1. **Self-referencing webhook to admin API** (13_self_referencing_test.py) - Webhook sends unsigned POST with event JSON body - Admin endpoints require SigV4 auth -- unsigned request rejected - "Confused deputy" via self-referencing does NOT work 2. **Protocol smuggling via non-HTTP targets** - Only 2 target types implemented: webhook and MQTT (`event.rs:613` enforces this) - No Redis, Kafka, AMQP, or other protocol targets exist - CRLF injection in webhook config fields sanitized by reqwest - MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection 3. **MQTT target for RCE** - No unsafe code in MQTT handler - rumqttc 0.29.0 has no known public CVEs - No Command::new, template engines, or deserialization of broker responses 4. **Unauth access** - Endpoints correctly reject unauthenticated requests (403) - Endpoints correctly reject invalid credentials (403) No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest: - CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file - CVE-2026-22043 (deny_only short-circuit) -- different bug class Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add `validate_admin_request` calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts. Koda Reef This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.

Stored cross-site scripting in mailcow dockerized versions before 2026-03b enables remote attackers to execute arbitrary JavaScript in admin sessions by injecting malicious code through unauthenticated Autodiscover requests. The payload persists in Redis and triggers when administrators view Autodiscover logs on the admin dashboard. CVSS 9.3 reflects the network attack vector and high cross-scope impact, though exploitation requires admin interaction (UI:P) and no public exploit has been identified at time of analysis.

Server-Side Request Forgery in Vexa meeting bot allows unauthenticated remote attackers to forge HTTP POST requests to arbitrary internal URLs (Redis, databases, cloud metadata endpoints) via unvalidated webhook configuration, enabling credential theft and lateral movement. CVSS 5.8 with network attack vector and no user interaction required. Fixed in version 0.10.0-260419-1910.

{ url: trim(url), // User-controlled, no validation method, headers, params, timeout, ...(method.toLowerCase() !== 'get' && data != null ? { data: transformer ? await transformer(data) : data } : {}), }); ``` The `url` at line 98 comes directly from user workflow configuration with only whitespace trimming. **`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:** ```typescript const axiosRequestConfig = { baseURL: ctx.origin, ...options, url: getParsedValue(url, variables), // User-controlled via template headers: { ... }, params: getParsedValue(arrayToObject(params), variables), data: getParsedValue(toJSON(data), variables), }; const res = await axios(axiosRequestConfig); // No IP validation ``` - No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase) - No private IP range filtering - No cloud metadata endpoint blocking - No URL scheme validation - No DNS rebinding protection 1. Authenticated user creates a workflow with HTTP Request node 2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` 3. Triggers the workflow 4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs Alternatively via Custom Request action: 1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin` 2. Execute the action 3. Server makes request to internal service - **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints - **Internal network access**: Scan and interact with services on private IP ranges - **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.) - **Authentication required**: Yes (authenticated user), but any workspace member can create workflows

Distribution container registry versions ≤3.0.x and ≤2.8.x restore read access to explicitly deleted blobs when Redis blob descriptor caching and storage deletion are both enabled. After an administrator deletes a blob from repository A, the deletion briefly succeeds, but when repository B later accesses the same digest, it repopulates the shared Redis descriptor cache. Repository A then regains unauthorized read access to the deleted blob because stale repository-scoped membership metadata was never invalidated from Redis. This authorization bypass defeats repository-local content revocation with concrete confidentiality impact. CVSS 7.5 (HIGH) with network attack vector, low complexity, and no authentication required. EPSS exploitation probability is very low (0.03%, 9th percentile), suggesting limited real-world targeting despite public POC availability. Vendor-released patch confirms the issue and provides a fix in version 3.1.0.

Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.

Server-Side Request Forgery in pyLoad-ng allows authenticated users with ADD permissions to read local files via file:// protocol, access internal network services, and exfiltrate cloud metadata. The parse_urls API endpoint fetches arbitrary URLs without protocol validation, enabling attackers to read /etc/passwd, configuration files, SQLite databases, and AWS/GCP metadata endpoints at 169.254.169.254. Error-based responses create a file existence oracle. Multi-protocol support (file://, gopher://, dict://) escalates impact beyond standard HTTP SSRF. CVSS 7.7 reflects network attack vector, low complexity, and scope change with high confidentiality impact. No public exploit code identified at time of analysis, though detailed proof-of-concept included in advisory demonstrates exploitation via curl commands against Docker deployments.

Remote code execution in D-Tale allows unauthenticated attackers to execute arbitrary code on servers hosting D-Tale publicly when using Redis or Shelf storage backends. The vulnerability stems from improper input validation in the storage layer, affecting D-Tale versions prior to 3.22.0. Vendor-released patch version 3.22.0 is available.

Unauthenticated Server-Side Request Forgery (SSRF) in Ech0's /api/website/title endpoint allows remote attackers to access internal network services, cloud metadata endpoints (AWS IMDSv1 at 169.254.169.254), and localhost-bound resources without authentication. The vulnerability accepts arbitrary URLs via the website_url parameter with zero validation, enabling attackers to probe internal infrastructure and exfiltrate partial response data through HTML title tag extraction. CVSS 7.2 reflects the

Unsafe deserialization in Roundcube Webmail's Redis/Memcache session handler allows unauthenticated remote attackers to write arbitrary files by crafting malicious session data. Affected versions include all 1.6.x before 1.6.14 and all 1.5.x before 1.5.14. While the CVSS score of 3.7 is low and attack complexity is high, the integrity impact (arbitrary file write) poses a real risk to instances using Redis or Memcache for session storage.

Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. With default AUTH_ENABLED=False configuration, this is remotely exploitable to retrieve EC2 IAM credent

Server-Side Request Forgery (SSRF) in FastGPT's Model Context Protocol (MCP) tools endpoints allows authenticated attackers to probe internal networks, access cloud metadata services (e.g., AWS/GCP instance credentials), and interact with backend databases like MongoDB and Redis. Affects FastGPT versions prior to 4.14.9.5. The vulnerability has CVSS 7.7 (High) with scope change indicating potential lateral movement to other system components. EPSS data not available; no confirmed active exploitation (not in CISA KEV). Public exploit code exists via GitHub security advisory GHSA-x9vj-5m4j-9mfv with technical details and proof-of-concept guidance.

Spring AI Redis vector store implementations expose sensitive data through unescaped TAG field filter injection in versions 1.0.0-1.0.4 and 1.1.0-1.1.3. Unauthenticated remote attackers can craft malicious filter expressions that bypass query boundaries in RediSearch TAG blocks, allowing extraction of unauthorized information from the vector database (CVSS 7.5 High, C:H). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given its low attack complexity (AC:L).

A deserialization vulnerability exists in the wvp-GB28181-pro project (a video streaming platform using GB28181 protocol) through version 2.7.4, specifically in the GenericFastJsonRedisSerializer implementation within the Redis configuration. The flaw allows unauthenticated remote attackers to exploit insecure deserialization through the API endpoint, potentially achieving code execution or data manipulation with low complexity. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, and the vendor has not responded to disclosure attempts.

The Performance Monitor plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in its REST API endpoint that allows unauthenticated attackers to make arbitrary web requests to internal services using dangerous protocols including Gopher. Versions up to and including 1.0.6 are affected. This vulnerability can be chained with services like Redis to achieve Remote Code Execution, making it a critical security concern despite the 7.2 CVSS score.

AVideo, an open-source video platform, contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x format). The vulnerable endpoint plugin/LiveLinks/proxy.php can be exploited to access cloud metadata services (AWS, GCP, Azure), internal networks, and localhost services without authentication. A detailed proof-of-concept is publicly available demonstrating credential theft from AWS instance metadata, making this a critical risk for cloud-hosted installations.

Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.

An unauthenticated Server-Side Request Forgery (SSRF) and Local File Read vulnerability exists in the Admidio SSO metadata fetch endpoint, which accepts arbitrary URLs via GET parameter and passes them directly to file_get_contents() after validating only with PHP's FILTER_VALIDATE_URL-a format checker that does not block dangerous URI schemes. An authenticated administrator can exploit this to read arbitrary local files (including database credentials from config.php), probe internal network services, or fetch cloud instance metadata (such as AWS IAM credentials from 169.254.169.254). A proof-of-concept demonstrating all attack vectors has been published; CVSS 6.8 reflects high confidentiality impact but is mitigated by the requirement for administrator privileges.

CRLF injection in undici's HTTP upgrade handling allows authenticated attackers to inject arbitrary headers and perform request smuggling attacks against backend services like Redis and Elasticsearch when user input is passed unsanitized to the upgrade option. The vulnerability stems from insufficient validation of the upgrade parameter before writing to the socket, enabling attackers to terminate HTTP requests prematurely and route malicious data to non-HTTP protocols. This requires prior authentication and user interaction, with no patch currently available.

Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.

Unsafe deserialization in the RedisCache component of datapizza-ai 0.0.2 allows authenticated local network attackers to achieve limited information disclosure and integrity compromise through manipulation of cache operations. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires local network access and elevated privileges, making practical attacks difficult but feasible in trusted environments.

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

Query injection in @langchain/langgraph-checkpoint-redis allows authenticated users to manipulate RediSearch filter logic by injecting special syntax characters into user-provided keys and values, potentially bypassing access controls. An attacker with valid credentials could craft malicious filter parameters to alter query behavior and access unintended data. The vulnerability affects LangGraph checkpoint implementations using Redis storage and is fixed in version 1.0.2.

Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized device group names, which execute when other users view the group management interface. Public exploit code exists for this vulnerability, affecting LibreNMS deployments across multiple supported platforms. The vulnerability has been patched in version 26.2.0.

Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C.

Laravel Reverb WebSocket server versions 1.6.3 and below have an insecure deserialization vulnerability enabling remote code execution on the backend server.

NiceGUI versions 2.10.0 through 3.4.1 fail to properly release Redis connections when users open and close browser tabs, allowing unauthenticated attackers to exhaust the Redis connection pool and degrade service functionality. An attacker can repeatedly trigger connection leaks without authentication, causing storage errors and degraded performance once connection limits are reached. Public exploit code exists for this vulnerability, which is patched in version 3.5.0.

An issue was discovered in Logpoint before 7.7.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.

UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 25.2.169 and Application prior to 25.2.1518 (VA and SaaS deployments) expose Docker internal networks in a way that allows an. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) run many Docker containers on shared internal networks without firewalling or segmentation. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

An open database issue exists in the affected product and version. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.

Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.

The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs. Version 2.0.20 fixes the issue.

Redis is an open source, in-memory database that persists on disk. Rated medium severity (CVSS 4.7).

Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

DragonflyDB Dragonfly before 1.27.0 allows authenticated users to cause a denial of service (daemon crash) via a crafted Redis command. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.

go-redis is the official Redis client library for the Go programming language. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required.

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RedisBloom adds a set of probabilistic data structures to Redis. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.1% and no vendor patch available.

RediSearch is a Redis module that provides querying, secondary indexing, and full-text search for Redis. Rated high severity (CVSS 7.0). No vendor patch available.

RedisTimeSeries is a time-series database (TSDB) module for Redis, by Redis. Rated high severity (CVSS 7.0). No vendor patch available.

Redis is an open source, in-memory database that persists on disk. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Redis versions prior to 7.4.2, 7.2.7, and 6.2.17 contain a use-after-free vulnerability in the Lua scripting engine that allows authenticated users to achieve remote code execution. By manipulating the garbage collector through crafted Lua scripts, attackers can corrupt memory and execute arbitrary code on the Redis server.