appsec.fyi · Sources

security.snyk.io

5 curated AppSec resources from security.snyk.io across 4 topics on appsec.fyi.

security.snyk.io

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-19.

SSRF 2 SSTI 1 XSS 1 XXE 1
Date Added Resource Excerpt
2026-04-19 2026XXE Injection in langchain-community (CVE-2025-6984)XXEWriteup of CVE-2025-6984 in langchain-community detailing an XML External Entity (XXE) Injection vulnerability. This flaw allows attackers to exploit insecure use of `etree.iterparse()` to access sensitive local files and potentially cause Denial of Service by submitting crafted XML payloads. The vulnerability affects versions prior to 0.3.27, with an upgrade to 0.3.27 or higher recommended.
2026-04-11 2026CVE-2021-43466: Thymeleaf Spring5 RCESSTILibrary for analyzing the SNYK-JAVA-ORGTHYMELEAF-1915389 vulnerability, an RCE in Thymeleaf Spring5. This exploit targets the render function in AjaxThymeleafView.java, allowing attackers to inject malicious input. The entry also references EPSS model data for threat probability and percentile.
2026-04-10 2026Cross-site Scripting (XSS) in vue-i18n (CVE-2025-53892)XSSWriteup on CVE-2025-53892, detailing a Cross-site Scripting (XSS) vulnerability in vue-i18n. This flaw allows attackers to execute arbitrary JavaScript by injecting malicious payloads into translation strings when `escapeParameterHtml` is set to `true`. Affected versions can be upgraded to 9.14.5, 10.0.8, 11.1.10, or higher to mitigate the risk.
2026-04-09 2026SSRF in axios (CVE-2025-27152)SSRFWriteup on CVE-2025-27152 in axios, detailing a Server-side Request Forgery (SSRF) vulnerability. Attackers can exploit this by tricking applications into sending requests to malicious endpoints, potentially exfiltrating sensitive data. The vulnerability arises because the `allowAbsoluteUrls` attribute is ignored when calling the `buildFullPath` function in the HTTP adapter, affecting versions prior to 0.30.0 and 1.8.2.
2026-04-09 2026SSRF in Next.js (CVE-2025-57822)SSRFWriteup of CVE-2025-57822 in Next.js, detailing a Server-side Request Forgery (SSRF) vulnerability exploitable via crafted user-controlled headers when custom middleware is present. The SSRF allows access to internal resources by exploiting the `resolve-routes` functionality. Recommendations include upgrading to patched versions or utilizing `NextResponse.next({request})`.