CVE-2026-34225

Open WebUI vulnerability CVE-2026-34225 affects the Open WebUI self-hosted AI platform (offline). Versions ≤ 0.7.2 expose a Blind Server Side Request Forgery in the image-edit workflow: a GET request to a user-supplied URL with no domain restrictions, enabling access to the local address space. B...

CVE-2026-31788

The CVE-2026-31788 entry describes a vulnerability in the Linux kernel related to the Xen privcmd driver. The privcmd interface could allow a user-space process to issue hypercalls that affect other domains, which is normally restricted to root. In secure-boot scenarios, an unprivileged domU coul...

Himmelblau 安全漏洞

Himmelblau is an open-source Azure Entra ID authentication module developed by Himmelblau. Versions prior to Himmelblau 3.1.0 contained security vulnerabilities. These vulnerabilities stemmed from the fact that authentication was not limited by tenant domains, allowing for attempts at...

CVE-2022-31096

Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated when the invite h...

EUVD-2020-2988

Malware in sbrugna...

EUVD-2002-1450

Malware in sbrugna...

EUVD-2023-23489

Malicious code in bioql PyPI...

EUVD-2022-52748

Malicious code in bioql PyPI...

EUVD-2024-16661

Malicious code in bioql PyPI...

CVE-2024-0879

Authentication bypass in vector-admin allows a user to register to a vector-admin server while “domain restriction” is active, even when not owning an authorized email address...

CVE-2005-2524

Safari after 2.0 in Apple Mac OS X 10.3.9 allows remote attackers to bypass domain restrictions via crafted web archives that cause Safari to render them as if they came from a different site...

Improper URL Parsing

Browser-Use is vulnerable to Improper URL parsing. The vulnerability is due to mishandled handling of alloweddomains when userinfo is included in the authority component within the isurlallowed method, which allows attackers to bypass domain restrictions...

GHSA-X39X-9QW5-GHRF Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL

Summary During a manual source code review, ARIMLABS.AI researchers identified that the browseruse module includes an embedded whitelist functionality to restrict URLs that can be visited. This restriction is enforced during agent initialization. However, it was discovered that these measures can...

Prompt Injection

github.com/mattermost/mattermost-server is vulnerable to prompt injection. The vulnerability is due to insufficient domain restriction to the AI plugin's Jira tool, allowing authenticated users to exfiltrate data from arbitrary servers via crafted prompts...

CVE-2024-39320

CVE-2024-39320 affects Discourse. According to the connected Red Hat and OSV entries, the vulnerability allows an attacker to inject iframes from any domain by bypassing the allowed_iframes setting. The issue is fixed in Discourse versions 3.2.5 and 3.3.0.beta5. The available sources confirm the ...

CVE-2024-1347 Authentication Bypass by Spoofing in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restriction...

CVE-2024-29033

CVE-2024-29033 concerns GoogleOAuthenticator.hosted_domain in OAuthenticator for JupyterHub. The root issue is that prior to version 16.3.0 the restriction was applied to Google accounts by email domain rather than guaranteed membership in a Google organization/workspace, allowing accounts create...

PT-2024-22686

Name of the Vulnerable Software and Affected Versions oauthenticator versions prior to 16.3.0 Description The issue is related to the GoogleOAuthenticator.hosted domain parameter, which is intended to restrict access to Google accounts that are part of one or more Google organizations verified to...

BIT-GITLAB-2020-13275

A user with an unverified email address could request an access to domain restricted groups in GitLab EE 12.2 and later through 13.0.1...

BIT-DISCOURSE-2022-31096 Invites restricted to an email or invite links restricted to an email domain may be bypassed by a under certain conditions in Discourse

Discourse is an open source discussion platform. Under certain conditions, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggravated when the invite h...