Lucene search
K

56 matches found

RedhatCVE
RedhatCVE
added 2026/02/22 7:24 a.m.9 views

CVE-2026-27191

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to...

7.4CVSS5.6AI score0.00254EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/22 7:24 a.m.8 views

CVE-2026-27193

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

8.2CVSS5.5AI score0.00354EPSS
Exploits0References1
NVD
NVD
added 2026/02/21 5:17 a.m.20 views

CVE-2026-27193

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

8.2CVSS0.00354EPSS
Exploits0References3
NVD
NVD
added 2026/02/21 4:15 a.m.13 views

CVE-2026-27191

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to...

7.4CVSS0.00254EPSS
Exploits0References3
NVD
NVD
added 2026/02/21 4:15 a.m.5 views

CVE-2026-27192

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed...

8.1CVSS0.0024EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/21 4:9 a.m.4 views

CVE-2026-27193

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

8.2CVSS5.5AI score0.00354EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/02/21 4:9 a.m.15 views

CVE-2026-27193

Feathersjs versions ≤ 5.0.39 store all HTTP request headers in the signed but unencrypted session cookie. The complete headers object (including internal proxy/gateway headers, API keys, tokens, and internal IPs) is base64-encoded in the cookie and readable by clients, exposing sensitive infrastr...

8.2CVSS5.5AI score0.00354EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/21 4:9 a.m.5 views

CVE-2026-27193 Feathers exposes internal headers via unencrypted session cookie

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

8.2CVSS5.5AI score0.00354EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/02/21 3:50 a.m.4 views

CVE-2026-27192 Feathers has an origin validation bypass via prefix matching

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed...

7.6CVSS5.4AI score0.0024EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/21 3:50 a.m.23 views

CVE-2026-27192 Feathers has an origin validation bypass via prefix matching

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed...

7.6CVSS0.0024EPSS
Exploits0References3
CVE
CVE
added 2026/02/21 3:50 a.m.17 views

CVE-2026-27192

Feathersjs vulnerability CVE-2026-27192 affects 5.0.39 and earlier. The origin validation in getAllowedOrigin() uses startsWith() to compare Referer against allowed origins, which can be bypassed by registering a domain with a shared prefix (e.g., https://target.com.attacker.com vs https://target...

8.1CVSS5.7AI score0.0024EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/21 3:50 a.m.6 views

CVE-2026-27192

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed...

7.6CVSS5.7AI score0.0024EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/02/21 3:50 a.m.7 views

CVE-2026-27192 Feathers has an origin validation bypass via prefix matching

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed...

7.6CVSS5.7AI score0.0024EPSS
Exploits0References5
OSV
OSV
added 2026/02/21 3:23 a.m.9 views

CVE-2026-27191 Feathers: Open Redirect in OAuth callback enables account takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to...

7.4CVSS5.7AI score0.00254EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/02/21 3:23 a.m.7 views

CVE-2026-27191

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to...

7.4CVSS5.6AI score0.00254EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/02/21 3:23 a.m.31 views

CVE-2026-27191 Feathers: Open Redirect in OAuth callback enables account takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to...

7.4CVSS0.00254EPSS
Exploits0References3
CVE
CVE
added 2026/02/21 3:23 a.m.19 views

CVE-2026-27191

Feathersjs (Feathers) Open Redirect in OAuth callback (CVE-2026-27191) affects versions 5.0.39 and earlier where the redirect query parameter is appended to the base origin without validation. This allows an attacker to steal victims’ access tokens via URL authority injection, leading to account ...

7.4CVSS5.6AI score0.00254EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/21 12:0 a.m.9 views

PT-2026-21346

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to...

7.4CVSS5.6AI score0.00254EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/21 12:0 a.m.10 views

PT-2026-21348

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

8.2CVSS5.5AI score0.00354EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/21 12:0 a.m.6 views

PT-2026-21347

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed...

7.6CVSS5.7AI score0.0024EPSS
Exploits0References4
Rows per page
Query Builder