EUVD-2026-36729

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies...

CVE-2026-9595

Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...

CVE-2026-9595

The CVE affects webpack-dev-server where a user-configured proxy with a broad context (e.g., /) and ws: true intercepts the dev server’s HMR WebSocket, forwarding it to the proxy target. This can leak cookies and Origin headers to the backend, bypass Host/Origin validation, and corrupt the HMR so...

PT-2026-49244

Name of the Vulnerable Software and Affected Versions webpack-dev-server versions prior to 5.2.5 Description A permissive user-configured proxy with a broad context e.g., '/' and ws: true intercepts the development server's own Hot Module Replacement HMR WebSocket and forwards it to the proxy...

aioHTTP < 3.14.0 Multiple Vulnerabilities

The version of aioHTTP installed on the remote host is prior to 3.14.0. It is, therefore, affected by multiple vulnerabilities: - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow arbitrary...

CVE-2026-43625

CodexBar vulnerability CVE-2026-43625 affects versions prior to 0.32.0. Affected component: CodexBar session handling for Amp and Ollama provider sessions. Root cause: improper redirect handling allows an on-path attacker to observe imported browser session cookies in cleartext HTTP requests when...

MAL-2026-4723 Malicious code in weavedb-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c25ff456baf684075b65ecf808bbfe36cbf91811fb4b04b70c13a3dd9d8a9403 package.json declares "preinstall": "./tools/setup", where tools/setup is a 976KB stripped Linux x86-64 ELF binary sha256...

CVE-2026-8706 Sensitive user data could be leaked to other applications through Reader mode

Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0...

Kiota Java Libraries 输入验证错误漏洞

Kiota Java Libraries is an open-source collection of Java libraries developed by Microsoft for generating OpenAPI SDKs. Version 1.9.0 of Kiota Java Libraries contains a vulnerability related to input validation errors. This vulnerability arises from the RedirectHandler middleware, which fails to...

ALPINE-CVE-2026-6276

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second reques...

CVE-2026-6276

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second reques...

CVE-2026-6276

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second reques...

CVE-2026-34226

A flaw was found in Happy DOM, a JavaScript implementation of a web browser without its graphical user interface. This vulnerability allows for information disclosure where cookies from the current page's origin can be inadvertently attached to network requests made to a different destination. Th...

CVE-2026-34226

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin window.location instead of the request target URL when fetch..., credentials: "include" is used. This can leak cookies from orig...

CVE-2026-34226 Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin window.location instead of the request target URL when fetch..., credentials: "include" is used. This can leak cookies from orig...

Siemens SIMATIC S7-1500 Missing Encryption of Sensitive Data (CVE-2022-27779)

libcurl wrongly allows cookies to be set for Top Level Domains TLDs if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's cookie engine can bebuilt with or without Public Suffix Listawareness. If PSL support not provided, a more rudimentary check...

EUVD-2022-1770

Malicious code in bioql PyPI...

Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http

...

CVE-2025-7654

Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wfgetcookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site users, which may make...

PT-2025-16278 · Autogpt +1 · Autogpt +1

Name of the Vulnerable Software and Affected Versions: AutoGPT versions prior to 0.6.1 Description: The issue allows for the leakage of cross-domain cookies and protected headers in requests redirect. AutoGPT uses a wrapper around the requests python library, which has a fundamental flaw in...