Lucene search
K

90 matches found

Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.17 views

PT-2026-55464

Name of the Vulnerable Software and Affected Versions kerberos-io/agent versions prior to 3.6.26 Description An issue exists in the Kerberos Hub upload path where the agent sends credentials in the custom X-Kerberos-Hub-PrivateKey and X-Kerberos-Hub-PublicKey request headers to the...

6.9CVSS6AI score
Exploits0References5
Fedora
Fedora
added 2026/06/27 1:12 a.m.5 views

[SECURITY] Fedora 44 Update: nginx-mod-fancyindex-0.6.0-6.fc44

The Fancy Index module makes possible the generation of file listings, like the built-in autoindex module does, but adding a touch of style. This is possible because the module allows a certain degree of customization of the generated content: Custom headers. Either local or stored remotely. Cust...

9.2CVSS6.9AI score0.03225EPSS
Exploits4
Fedora
Fedora
added 2026/06/27 12:56 a.m.4 views

[SECURITY] Fedora 43 Update: nginx-mod-fancyindex-0.6.0-6.fc43

The Fancy Index module makes possible the generation of file listings, like the built-in autoindex module does, but adding a touch of style. This is possible because the module allows a certain degree of customization of the generated content: Custom headers. Either local or stored remotely. Cust...

9.2CVSS6.9AI score0.03225EPSS
Exploits4
OSV
OSV
added 2026/06/26 8:42 a.m.5 views

BIT-GRAFANA-2026-10601 Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: 1 capture admin-configured datasource credentials secureJsonData custom headers by traversing to an...

5.4CVSS5.8AI score0.00258EPSS
Exploits0References2
OSV
OSV
added 2026/06/16 9:31 p.m.6 views

GHSA-X7CF-6GP3-Q5F8 Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rjxq-qqhf-8hwh. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwar...

7.1CVSS5.3AI score0.00223EPSS
Exploits0References3
Fedora
Fedora
added 2026/06/01 1:1 a.m.17 views

[SECURITY] Fedora 43 Update: nginx-mod-fancyindex-0.6.0-5.fc43

The Fancy Index module makes possible the generation of file listings, like the built-in autoindex module does, but adding a touch of style. This is possible because the module allows a certain degree of customization of the generated content: Custom headers. Either local or stored remotely. Cust...

9.2CVSS5.8AI score0.04261EPSS
Exploits3
Fedora
Fedora
added 2026/05/28 1:13 a.m.13 views

[SECURITY] Fedora 44 Update: nginx-mod-fancyindex-0.6.0-5.fc44

The Fancy Index module makes possible the generation of file listings, like the built-in autoindex module does, but adding a touch of style. This is possible because the module allows a certain degree of customization of the generated content: Custom headers. Either local or stored remotely. Cust...

9.2CVSS5.8AI score0.04261EPSS
Exploits3
Hacker One
Hacker One
added 2026/05/17 7:12 a.m.18 views

curl: CRLF Injection via Custom HTTP Headers

Summary: libcurl writes user-supplied custom headers directly into the HTTP request buffer without stripping \r\n characters. The raw input pointer origp in Curladdcustomheaders lib/http.c is serialized verbatim into the outgoing request using curlxdynaddfreq, "%s\r\n", origp instead of using the...

5.8AI score
Exploits0
Fedora
Fedora
added 2026/05/15 10:45 p.m.16 views

[SECURITY] Fedora 42 Update: nginx-mod-fancyindex-0.6.0-4.fc42

The Fancy Index module makes possible the generation of file listings, like the built-in autoindex module does, but adding a touch of style. This is possible because the module allows a certain degree of customization of the generated content: Custom headers. Either local or stored remotely. Cust...

9.2CVSS6AI score0.61469EPSS
Exploits41
Fedora
Fedora
added 2026/05/15 9:9 p.m.14 views

[SECURITY] Fedora 43 Update: nginx-mod-fancyindex-0.6.0-4.fc43

The Fancy Index module makes possible the generation of file listings, like the built-in autoindex module does, but adding a touch of style. This is possible because the module allows a certain degree of customization of the generated content: Custom headers. Either local or stored remotely. Cust...

9.2CVSS6AI score0.61469EPSS
Exploits41
Fedora
Fedora
added 2026/05/15 8:58 p.m.12 views

[SECURITY] Fedora 44 Update: nginx-mod-fancyindex-0.6.0-4.fc44

The Fancy Index module makes possible the generation of file listings, like the built-in autoindex module does, but adding a touch of style. This is possible because the module allows a certain degree of customization of the generated content: Custom headers. Either local or stored remotely. Cust...

9.2CVSS6AI score0.61469EPSS
Exploits41
NVD
NVD
added 2026/05/14 4:16 p.m.55 views

CVE-2026-44503

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS0.00505EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/14 3:58 p.m.5 views

CVE-2026-44503

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS5.8AI score0.00505EPSS
Exploits0References2Affected Software6
CVE
CVE
added 2026/05/14 3:58 p.m.57 views

CVE-2026-44503

CVE-2026-44503 affects the RedirectHandler in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0, and similar Kiota libraries). The root cause is that when following 3xx redirects to a different host or scheme, only the Authorization header is removed; Cookie, Proxy-Auth...

7CVSS5.8AI score0.00505EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.29 views

CVE-2026-2717 HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values

The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via insertwithmarkers. This makes it possible for...

5.5CVSS0.00474EPSS
Exploits0References5
CVE
CVE
added 2026/04/22 7:45 a.m.7 views

CVE-2026-2717

The CVE concerns the WordPress HTTP Headers plugin (versions up to and including 1.19.2) vulnerable to CRLF Injection. The issue arises from insufficient sanitization of custom header name/value fields before they are written to the Apache .htaccess file via insert_with_markers(), enabling authen...

5.5CVSS5.8AI score0.00474EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.29 views

CVE-2026-1379 HTTP Headers <= 1.19.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Headers' Plugin Setting

The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...

4.4CVSS0.0029EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/22 7:45 a.m.3 views

CVE-2026-1379 HTTP Headers <= 1.19.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Headers' Plugin Setting

The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...

4.4CVSS5.8AI score0.0029EPSS
Exploits0References3
CVE
CVE
added 2026/04/22 7:45 a.m.8 views

CVE-2026-1379

The CVE-2026-1379 entry concerns the WordPress HTTP Headers plugin. It describes a Stored Cross-Site Scripting vulnerability in admin settings for all versions up to and including 1.19.2, caused by insufficient input sanitization and output escaping. Exploitation requires an authenticated attacke...

4.4CVSS5.8AI score0.0029EPSS
Exploits0References3
Hacker One
Hacker One
added 2026/03/10 7:58 a.m.18 views

curl: CURLOPT_UNRESTRICTED_AUTH Dangerous Default Documentation Gap

Summary: CURLOPTUNRESTRICTEDAUTH=1 instructs libcurl to send credentials to ALL hosts during redirect chains, 'possibly again and again as the following hosts can keep redirecting to new hosts.' The documentation explicitly warns this is dangerous, but the default behavior is also risky: curl onl...

5.8AI score
Exploits0
Rows per page
Query Builder