Server-Side Attack Application interface: After accessing the website, the application automatically sends POST requests to retrieve data At first glance, this request appears to be an SSRF vulnerability. After testing, it was confirmed to have SSRF, but there is no outbound traffic, and a port scan revealed only ports 80 and 3306 are open, making it ineffective for exploitation: Port scan: File name scan: Notice that the application accepts user input to display the count on the screen:

ORM Leak Vulnerability in Finmars I recently conducted research on ORM Leaking - Top 2 web hacking technique by PortSwigger. Following this study, I utilized Sourcegraph to scan open-source repositories for potential vulnerabilities. This investigation led to the discovery of an ORM Leaking flaw within the Finmars repository. Let’s analyze the vulnerability. Description and Impact Type Version Affected Required Authentication ?-day ORM Leaking finmars-core ≤ 1.24.5 Yes 0-day Root Cause Analysis The Source The application contains a security vulnerability within the category data extraction feature (/api/v1/specific-data/values-for-select/).

SSRF in Koha version ≤ 25.11 (CVE-2026-26379) Description and Impact Type Affected Version ?-day SSRF ≤25.11 (latest) 0-day Steps to Reproduce First, from the Dashboard interface, go to Koha Administration → Z39.50/SRU servers: Select + New Z39.50 server Assume the internal network is hosting an application on port 8888: nc -nvlp 8888 Fill in the information as follows: Save. Go to http://192.168.116.130:8080/cgi-bin/koha/cataloguing/z3950_search.pl and fill in the information as shown in the image:

Cross-Site Scripting via File Upload in Koha (CVE-2026-26378) Description and Impact Type Version Affected ?-day XSS via File Upload ≤ 25.11 (latest) 0-day Steps to Reproduce First, create an arbitrary vendor (if one already exists, skip this step): Vendor ABC was successfully created. Access Receive Shipments to create a new Invoice: Successfully created an Invoice with invoiceid=3 : Then, access the URL: cgi-bin/koha/acqui/invoice-files.pl?invoiceid=3 : Proceed to upload an SVG file containing the XSS payload as follows:

Stored XSS in Koha version ≤25.11 (CVE-2026-26377) Description and Impact Type Version Affected Required Authentication ?-day Stored XSS ≤ 25.11 Yes 0-day This vulnerability poses a critical risk as the malicious payload is saved on the server, affecting multiple users without requiring social engineering. Successful exploitation permits attackers to exfiltrate sensitive data, impersonate high-privileged users (Administrator account takeover), and compromise the confidentiality and integrity of the application. Steps to Reproduce (Tesing on Koha version 25.

Stored-XSS via animate tag in Roundcube (CVE-2025-68461) Description and Impact Type Version Affected Authentication Required ?-day CVSS Stored-XSS <1.5.12, <1.6.12 Yes 1-day 7.2 Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. Root cause analysis program\lib\Roundcube\rcube_washtml.php:dumpHtml() Ứng dụng kiểm tra xem thẻ hiện tại ($tagName) có phải là một trong các thẻ hoạt ảnh (animate, animatecolor, …) hay không.