Lucene search
K

9028 matches found

CVE
CVE
added 2026/06/16 11:52 a.m.28 views

CVE-2026-12304

CVE-2026-12304 involves a Same-origin policy bypass in the Networking: Cookies component affecting Mozilla products. The vulnerability is documented for Firefox and Thunderbird (including firefox-esr and Thunderbird ESR variants) with fixes implemented in Firefox 152, Firefox ESR 140.12, Thunderb...

9.1CVSS5.2AI score0.00189EPSS
Exploits0References5Affected Software2
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.11 views

PT-2026-49701

Name of the Vulnerable Software and Affected Versions Firefox for iOS versions prior to 152.0 Description Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument. This behavior allows a malicious site to inject arbitrary cookies int...

4.3CVSS6AI score0.001EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.10 views

PT-2026-49673

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 152 Firefox ESR versions prior to 140.12 Thunderbird versions prior to 152 Thunderbird versions prior to 140.12 Description A same-origin policy bypass exists in the Networking: Cookies component. The same-origin poli...

9.1CVSS5.2AI score0.00476EPSS
Exploits0References186
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 11:47 p.m.11 views

Malicious code in reading-cookies (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d137cd4e8e7fc6d323c33ed04a87a97b152b217f948d01fae3172900751bf121 On import, the package's middleware spawns a detached node lib/caller.js child process. caller.js decodes a base64-obfuscated URL...

5.5AI score
Exploits0References2
OSV
OSV
added 2026/06/15 11:47 p.m.7 views

MAL-2026-5847 Malicious code in reading-cookies (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d137cd4e8e7fc6d323c33ed04a87a97b152b217f948d01fae3172900751bf121 On import, the package's middleware spawns a detached node lib/caller.js child process. caller.js decodes a base64-obfuscated URL...

5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:8 p.m.11 views

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in the CookieJar.save and CookieJar.load functions. An attacker can cause cookies intended for a specific host to be sent to subdomains by persisting and restoring cookie...

7.5CVSS5.3AI score0.00279EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 8:8 p.m.7 views

aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

Summary Host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed. ----- Patch:...

7.5CVSS5.3AI score0.00279EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/15 8:8 p.m.10 views

GHSA-2FQR-MR3J-6WP8 aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

Summary Host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed. ----- Patch:...

5.3CVSS5.4AI score0.00279EPSS
Exploits0References2
OSV
OSV
added 2026/06/15 8:6 p.m.3 views

GHSA-84G9-W2XQ-VCV6 React Router: Potential CSRF via PUT/PATCH/DELETE document requests

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight, SameSite cookies already block the cross-origin attack vectors...

3.1CVSS5.4AI score0.00106EPSS
Exploits0References2
OSV
OSV
added 2026/06/15 8:1 p.m.11 views

GHSA-RP9W-3FW7-7CWQ DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content

If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script -...

5.1CVSS5.2AI score0.00038EPSS
Exploits0References2
OSV
OSV
added 2026/06/15 5:25 p.m.4 views

GHSA-QXH6-94W6-9R5P @angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker

An information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata such as headers from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive...

8.3CVSS5.5AI score0.00226EPSS
Exploits0References4
NVD
NVD
added 2026/06/15 4:16 p.m.10 views

CVE-2026-9595

Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...

5.3CVSS0.00163EPSS
Exploits0References5
OSV
OSV
added 2026/06/15 4:16 p.m.6 views

UBUNTU-CVE-2026-9595

Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...

5.3CVSS5.8AI score0.00163EPSS
Exploits0References7
OSV
OSV
added 2026/06/15 3:50 p.m.7 views

MAL-2026-5807 Malicious code in sam-package (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 26e593046a8f405a1a571d19aaa6bd46db57c4a22fce4b9acfc114dd4eb8ffb6 [email protected] is a malicious package whose only purpose is to deliver a prompt-injection payload targeting AI coding assistants Copilot, Cursor,...

5.5AI score
Exploits0References19
CVE
CVE
added 2026/06/15 3:0 p.m.84 views

CVE-2026-9595

The CVE affects webpack-dev-server where a user-configured proxy with a broad context (e.g., /) and ws: true intercepts the dev server’s HMR WebSocket, forwarding it to the proxy target. This can leak cookies and Origin headers to the backend, bypass Host/Origin validation, and corrupt the HMR so...

5.3CVSS5.3AI score0.00163EPSS
Exploits0References5Affected Software1
Hacker One
Hacker One
added 2026/06/15 11:37 a.m.117 views

curl: Secure cookies leaked to HTTP origins through HTTPS forwarding proxy

Summary: When curl accesses an http:// origin through an HTTPS forwarding proxy, it sends Secure cookies in the request. The cookies travel in cleartext between the proxy and the origin server, visible to the proxy operator and anyone on that network path. curl also reports CURLINFOSCHEME as...

5.5AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.11 views

PT-2026-49563

Name of the Vulnerable Software and Affected Versions @angular/service-worker versions prior to 19.2.23 @angular/service-worker versions prior to 20.3.22 @angular/service-worker versions prior to 21.2.15 @angular/service-worker versions prior to 22.0.0-rc.2 Description An issue in the...

5.7CVSS5.8AI score0.0015EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.23 views

PT-2026-49561

Name of the Vulnerable Software and Affected Versions Angular versions prior to 22.0.0-rc.2 Angular versions prior to 21.2.15 Angular versions prior to 20.3.22 Angular versions prior to 19.2.23 Description An issue exists in @angular/common when Server-Side Rendering SSR and hydration are enabled...

8.2CVSS5.8AI score0.00267EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.9 views

PT-2026-49593

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.14.1 Description Host-only cookies saved using the CookieJar.save function and subsequently restored via the CookieJar.load function lose their host-only status. This can result in cookies loaded from disk being sen...

5.3CVSS5.8AI score0.00279EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.13 views

PT-2026-49559

If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script -...

5.1CVSS5.1AI score0.00038EPSS
Exploits0References3
Rows per page
Query Builder