Ipv6

Gotenberg's `IsPublicIP` function incorrectly classifies IPv6 6to4, NAT64, and deprecated site-local addresses as public IPs, enabling an unauthenticated attacker to reach internal destinations such as cloud metadata services.

CVE-2026-46172 is a vulnerability related to ipv6: xfrm6: release dst on error in xfrm6_rcv_encap(), potentially leading to a denial-of-service condition.

CVE-2026-46099 describes a vulnerability in the IPv6 network stack related to NOREF dst use in seg6 and rpl lwtunnels, requiring a security update to address potential exploitation.

Better Auth versions before 1.4.17 and pre-release versions before 1.5.0-beta.9 are vulnerable to CVE-2026-45364, a rate-limiting bypass that allows IPv6 clients to rotate through numerous source addresses or vary the textual encoding of one IPv6 address, effectively defeating rate limiting on authentication endpoints, potentially leading to credential stuffing, account enumeration, and amplification of password-reset email fan-out.

A vulnerability in the dssrf npm package allows attackers to bypass SSRF protections by using specially crafted IPv6 addresses, despite documentation claiming IPv6 is disabled, which can lead to internal resource access or other malicious activities.

link-preview-js versions 4.0.0 and earlier are vulnerable to IPv6 and internal loopback attacks, allowing potential internal data leaks by resolving addresses to internal IPs; patched in version 4.0.1.