140 matches found
CVE-2026-42038
A flaw was found in Axios, a software library used for making web requests. This vulnerability allows an attacker to bypass the noproxy configuration, which is designed to prevent certain internal network requests from being sent through an external proxy. Specifically, when noproxy=localhost is...
CVE-2026-42038
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...
PT-2026-35048
Name of the Vulnerable Software and Affected Versions Axios versions prior to 0.31.1 Axios versions prior to 1.15.1 Description An incomplete fix for no proxy hostname normalization bypass allows requests to 127.0.0.1 and ::1 to route through a proxy even when no proxy=localhost is configured. Th...
CVE-2025-54304
An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11 access control list, by default, allows connections from...
request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
request-filtering-agent versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTTP requests are correctly blocked. Impact: Vulnerable patterns requests that should be blocked but are allowed: - https://127.0.0.1:443/api -...
GHSA-PW25-C82R-75MM request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
request-filtering-agent versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTTP requests are correctly blocked. Impact: Vulnerable patterns requests that should be blocked but are allowed: - https://127.0.0.1:443/api -...
GHSA-VVF8-2H68-9475 Duplicate Advisory: Keycloak Open Redirect vulnerability
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w8gr-xwp4-r9f7. This link is maintained to preserve external references. Original Description A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL...
CVE-2024-8883
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially...
HYSCALE System 1.9 Add Administrator / Cross Site Request Forgery
============================================================================================================================================= | Title : HYSCALE System v1.9 CSRF add admin Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 128.0.3 64...
POMS 1.0 Insecure Settings
============================================================================================================================================= | Title : POMS v1.0 Insecure Settings Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 125.0.1 64 bits | |...
Online Pizza Ordering System 1.0 Insecure Settings
============================================================================================================================================= | Title : Online Pizza Ordering System v1.0 Insecure Settings Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla...
MSMS-PHP 1.0 Insecure Settings
============================================================================================================================================= | Title : MSMS-PHP v1.0 Insecure Settings Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 125.0.1 64 bits...
Medicine Tracker System 1.0 Insecure Settings
==================================================================================================================================== | Title : Medicine Tracker System v1.0 Insecure Settings Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 125.0.1 6...
Company Visitor Management 1.0 SQL Injection
============================================================================================================================================= | Title : Company Visitor Management 1.0 Auth By Pass Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox...
Pharmacy Management System 1.0 Insecure Settings
==================================================================================================================================== | Title : Pharmacy Management System v1.0 Insecure Settings Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 125.0....
ChatBot Application With A Suggestion Feature 1.0 Insecure Settings
==================================================================================================================================== | Title : ChatBot Application with a Suggestion Feature v1.0 Insecure Settings Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser :...
CVE-2024-39699 Directus has a Blind SSRF On File Import
Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security...
Ivanti Connect Secure Unauthenticated Remote Code Execution
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Ivanti Connect Secure Unauthenticated Remote Code Execution', 'Description' = %q This module chains a server side request forgery SSRF...
CVE-2023-41894 Local-only webhooks externally accessible via SniTun in Home Assistant Core
Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the .ui.nabu.casa URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the...
EI Tube YouTube API 3 SQL Injection
==================================================================================================================================== | Title : EI Tube YouTube API V3 site builder Sql Injection Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firef...