Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Pandoc SSRF flaw (CVE-2025-51591, actively exploited)

Vulnerability
First reported
Last updated
Happening score
H score 52
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2025-51591 is an actively exploited SSRF flaw in Pandoc that can be abused to reach AWS IMDS and steal EC2 IAM credentials. Attackers have been sending crafted HTML iframe payloads to force requests toward 169.254.169.254. The observed goal was to pull metadata from /latest/meta-data/iam/info and /latest/meta-data/iam, but IMDSv2 enforcement blocked the attempt. The activity has been seen since August, showing the flaw was already being used in the wild.

Related Happenings

CISA KEV patch directive for CVE-2025-53521

Advisory/Mitigation
First: 30.03.2026 10:07 Last: 30.03.2026 10:07 Sources 1

About this happening: CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is be...

Open Happening

CISA KEV listing for Wing FTP CVE-2025-47813

Public Sector Action
First: 17.03.2026 07:23 Last: 17.03.2026 07:23 Sources 1

About this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...

Open Happening

CISA updates KEV entry for CVE-2026-1731

Public Sector Action
First: 20.02.2026 17:45 Last: 20.02.2026 17:45 Sources 1

About this happening: **CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...

Open Happening

CISA KEV multi-product active exploitation wave (CVE-2020-7796)

Exploitation Wave
First: 18.02.2026 08:52 Last: 18.02.2026 08:52 Sources 1

About this happening: **CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...

Open Happening

CISA SmarterMail remediation guidance for CVE-2026-24423

Advisory/Mitigation
First: 06.02.2026 19:16 Last: 06.02.2026 19:16 Sources 1

About this happening: **SmarterMail** is at the center of a **CVE-2026-24423** remediation and exploitation wave: the flaw enables **unauthenticated remote code execution** in versions prior to **Build...

Open Happening

Timeline

  1. 24.09.2025 10:15 2 articles · 8mo ago

    Wiz discloses Pandoc SSRF exploitation against AWS IMDS

    Initial Disclosure

    Wiz disclosed in-the-wild exploitation of CVE-2025-51591 in Pandoc, where crafted HTML documents containing <iframe> elements were used to try to reach the AWS Instance Metadata Service (IMDS) at 169.254.169[.]254 and exfiltrate data from /latest/meta-data/iam/info and /latest/meta-data/iam for EC2 IAM credentials; the attempts were unsuccessful because IMDSv2 enforcement required the X-aws-ec2-metadata-token header.

    Show sources
    Open in new tab