Monsta FTP: An SSRF Blocklist That Forgot IPv6 Exists
An unauthenticated SSRF in Monsta FTP 2.14.4. The product ships a real SSRF blocklist that correctly blocks 127.0.0.1, 169.254.169.254 and RFC1918, then forgets that ::ffff:169.254.169.254 is the exact same host. One missing normalization, both gates bypassed, and a static AAAA record is all it takes.
Streama Path Traversal + SSRF: Chaining Vulnerabilities for Arbitrary File Write
A critical vulnerability in Streama allows authenticated users to write arbitrary files through a combination of Server-Side Request Forgery (SSRF) and Path Traversal. This write-up covers the root cause analysis, exploitation flow, and the vendor's comprehensive fix.