CVE-2026-35185

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...

CVE-2026-35185 HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...

CVE-2026-35185

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...

EUVD-2026-19469

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...

PT-2026-30720

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens user token, user activity, client IP addresses, and server configuration details. This allows...

CVE-2025-13494 SSP Debug <= 1.0.0 - Unauthenticated Sensitive Information Exposure

The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location wp-content/uploads/ssp-debug/ssp-debug.log without any access controls. This...

CVE-2024-0970

This User Activity Tracking and Log WordPress plugin before 4.1.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value...

LevelOne WBR-6012 安全漏洞

The LevelOne WBR-6012 is a wireless router from LevelOne. A security vulnerability exists in the LevelOne WBR-6012 that stems from a reliance on client IP addresses for authentication, resulting in an authentication bypass vulnerability in the web application...

PT-2024-23426 · WordPress · Site Reviews

Name of the Vulnerable Software and Affected Versions: Site Reviews WordPress plugin versions prior to 7.0.0 Description: The issue allows an attacker to manipulate client IP addresses retrieved from potentially untrusted headers, which can be used to bypass IP-based blocking. Recommendations: Fo...

Exposure of client IP addresses in net/http

...

CVE-2022-32148 Exposure of client IP addresses in net/http

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the...

Tor Browser Deanonymization With SMB Information Disclosure Vulnerability

Tor Browser is a web browser. An information disclosure vulnerability exists in Tor Browser Deanonymization With SMB, which allows remote attackers to bypass expected anonymization features and discover client IP addresses...

DEBIAN-CVE-2007-4755

Alien Arena 2007 6.10 and earlier allows remote attackers to cause a denial of service client disconnect by sending a clientconnect command in a forged packet from the server to a client. NOTE: client IP addresses are available via product-specific queries...