Lucene search
+L

1342 matches found

CVE
CVE
added 2026/06/10 2:41 p.m.61 views

CVE-2026-48856

This CVE affects Erlang OTP inets (httpc_response) where cross-origin 3xx redirects copy Authorization and Proxy-Authorization headers to the redirect target, enabling credential theft. Root cause: httpc_response:redirect/2 only updates the host field; other header fields are copied, with autored...

7.1CVSS5.5AI score0.00335EPSS
Exploits0References5Affected Software2
EUVD
EUVD
added 2026/06/10 2:41 p.m.14 views

EUVD-2026-36058

Sensitive Data Exposure vulnerability in Erlang OTP inets httpcresponse module allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary...

7.1CVSS5.5AI score0.00335EPSS
Exploits0References5
OSV
OSV
added 2026/06/10 2:41 p.m.9 views

EEF-CVE-2026-48856 httpc leaks Authorization header to cross-origin redirect targets

Summary Sensitive Data Exposure vulnerability in Erlang OTP inets httpc\response module allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary...

7.1CVSS5.4AI score0.00335EPSS
Exploits0References4
OSV
OSV
added 2026/06/10 2:41 p.m.2 views

CVE-2026-48856 httpc leaks Authorization header to cross-origin redirect targets

Sensitive Data Exposure vulnerability in Erlang OTP inets httpcresponse module allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary...

7.1CVSS6AI score0.00335EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.14 views

PT-2026-48464

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 29.0.1 Erlang OTP version 28.5.0.1 Erlang OTP version 27.3.4.12 Description Sensitive data exposure occurs in the httpc response module of the inets library. The httpc client forwards Authorization and...

7.1CVSS5.8AI score0.00335EPSS
Exploits0References11
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.14 views

Erlang/OTP 输入验证错误漏洞

Erlang/OTP is an open-source JavaScript library for handling exceptions. This library can catch exceptions caused by Node.js’s built-in APIs. Versions of Erlang/OTP between 5.10 and 9.7.1, 9.6.2.2, and 9.3.2.6 have a vulnerability related to input validation errors. This vulnerability arises...

7.1CVSS5.3AI score0.00335EPSS
Exploits0References1
FreeBSD
FreeBSD
added 2026/06/10 12:0 a.m.8 views

Erlang/OTP -- httpc leaks authentication headers on cross-host redirect

https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh reports: The HTTP client httpc in inets now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port, following the requirements of RFC 9110 section...

7.1CVSS5.5AI score0.00335EPSS
Exploits0References1
Veracode
Veracode
added 2026/06/09 9:21 a.m.12 views

Information Exposure

Axios is vulnerable to Information Exposure. The vulnerability is due to improper handling of the Proxy-Authorization header in the Node.js HTTP adapter, where proxy credentials can be retained across redirects and inadvertently sent to a redirected destination after the request is no longer rout...

7.5CVSS5.4AI score0.00532EPSS
Exploits1References34Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/08 5:17 p.m.7 views

Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to Incorrect Behavior Order CVE-2026-0707

Summary keycloak is used by the IBM Datapower Operations Dashboard as part of their IAM and SSO implementation Vulnerability Details CVEID:CVE-2026-0707 DESCRIPTION: A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer...

5.3CVSS5.5AI score0.00361EPSS
Exploits0Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/08 12:0 a.m.10 views

Amazon Linux 2023 : perl-libwww-perl, perl-libwww-perl-tests (ALAS2023-2026-1764)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1764 advisory. LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross- origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before...

6.5CVSS5.5AI score0.00266EPSS
Exploits0References4
GithubExploit
GithubExploit
added 2026/06/06 7:55 a.m.85 views

Exploit for CVE-2026-48595

CVE-2026-48595 - elixir-tesla tesla Vulnerability Quick Us...

8.2CVSS5.5AI score0.00396EPSS
Exploits2
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.11 views

CVE-2026-45739

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as Authorization: Bearer , the value...

4.3CVSS5.4AI score0.00218EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.11 views

CVE-2026-47356

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery SSRF via the webhookurl parameter in the file scan endpoint POST /v1/iac/iacVersion/cloud/local/file/scan when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhookurl multipa...

8.7CVSS5.7AI score0.00499EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.11 views

CVE-2026-49197

Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails...

10CVSS5.5AI score0.00332EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:16 p.m.10 views

CVE-2026-42855

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 computes the authentication hash using the URI field from the client's Authorization header,...

7.5CVSS5.5AI score0.00351EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:11 p.m.10 views

CVE-2026-44503

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS5.4AI score0.00505EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.43 views

CVE-2026-8181

The Burst Statistics – Privacy-Friendly WordPress Analytics Google Analytics Alternative plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the ismainwpauthenticated function when validating application...

9.8CVSS5.5AI score0.14608EPSS
Exploits11References1
Github Security Blog
Github Security Blog
added 2026/06/05 3:40 p.m.16 views

MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration

Summary The kubectlgeneric tool in mcp-server-kubernetes passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environments. An attacker who already has limited cluster or codebase access, for example, a developer with...

6.1CVSS5.5AI score0.00267EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/06/04 5:52 p.m.18 views

EUVD-2026-32927

Hono: JWT middleware accepts any Authorization scheme, not only Bearer...

6.5CVSS5.8AI score0.00199EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/04 2:9 p.m.43 views

CVE-2026-45739 Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs

Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as Authorization: Bearer , the value...

3.1CVSS0.00218EPSS
Exploits0References5
Rows per page
Query Builder