Lucene search
K

5 matches found

CVE
CVE
added 6 hours ago8 views

CVE-2026-55438

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, subdomain-based proxy would bypass the same-owner CORS check when a workspace-name segment parsed as a UUID. The workspace could be resolved by ID with...

5.8CVSS6AI score
Exploits0References7
CVE
CVE
added 7 hours ago9 views

CVE-2026-55430

Coder's workspace app (github.com/coder/coder) prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts X-Forwarded-Host for routing because no middleware strips it before routing and httpapi.RequestHost() prefers that header over Host. This enables cross-app data access when subdomain (wildca...

5.8CVSS6AI score
Exploits0References6
OSV
OSV
added yesterday4 views

GO-2026-5918 Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder...

5.8CVSS5.9AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/09/08 3:12 a.m.10 views

CVE-2025-58437

Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace...

8.1CVSS6.8AI score0.00349EPSS
Exploits1References1
Snyk
Snyk
added 2025/09/06 4:0 a.m.2 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration via insecure session handling in prebuilt workspaces. An attacker can gain unauthorized access to other users' workspaces by reusing unexpired session tokens exposed through...

8.6CVSS6.9AI score0.00349EPSS
Exploits1References2
Rows per page
Query Builder