Lucene search
+L

1121 matches found

Nuclei
Nuclei
added 11 hours ago55 views

Limit Login Attempts WordPress - Stored Cross-site Scripting

Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...

6.1CVSS5.9AI score0.01595EPSS
Exploits2References2
CVE
CVE
added 3 days ago12 views

CVE-2026-55652

Wekan prior to v9.46 is vulnerable to a header-login bypass: the server trusts X-Forwarded-For via HEADER_LOGIN_TRUSTED_IPS in getRequestIp(), allowing unauthenticated users to request a login for any username and obtain a meteor_login_token (including admin), enabling full account takeover. The ...

9.8CVSS6.1AI score0.00355EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 4 days ago8 views

CVE-2026-9561

Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 Web Console and org.eclipse.kura.rest.provider REST API components use this header as the primary IP sour...

8.8CVSS6.1AI score0.00204EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/07/10 3:23 p.m.31 views

CVE-2026-55501 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header

9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail...

7.3CVSS0.00515EPSS
Exploits0References3
CVE
CVE
added 2026/07/10 3:23 p.m.22 views

CVE-2026-55501

The CVE concerns 9router prior to version 0.4.80, where the login rate limiter uses client identity from the attacker-controlled X-Forwarded-For header in src/lib/auth/loginLimiter.js. This allows remote attackers to rotate X-Forwarded-For per attempt, creating a fresh rate-limit bucket each time...

7.3CVSS6.2AI score0.00515EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/09 9:30 p.m.37 views

CVE-2026-58122 Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing

Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to...

9.3CVSS0.00293EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/09 12:0 a.m.18 views

PT-2026-56988

Name of the Vulnerable Software and Affected Versions Hermes WebUI versions prior to 0.51.307 Description An authentication bypass exists that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints. This is achieved by supplying a spoofed...

9.3CVSS6.2AI score0.00293EPSS
Exploits0References8
NVD
NVD
added 2026/07/08 5:17 p.m.10 views

CVE-2026-59897

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware o...

5.3CVSS0.00126EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/08 4:6 p.m.34 views

CVE-2026-59897 Hono: API Gateway v1 adapter can drop a distinct repeated request header value during de-duplication

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware o...

4.8CVSS0.00126EPSS
Exploits0References3
OSV
OSV
added 2026/07/08 4:6 p.m.7 views

CVE-2026-59897 Hono: API Gateway v1 adapter can drop a distinct repeated request header value during de-duplication

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware o...

4.8CVSS6.1AI score0.00126EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.6 views

PT-2026-56507

Name of the Vulnerable Software and Affected Versions Hono versions 4.3.3 through 4.12.26 Description The AWS API Gateway v1 adapter incorrectly de-duplicates repeated request header values by using a substring comparison instead of an exact match. This behavior can lead to the loss of distinct...

5.3CVSS6.1AI score0.00126EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/07/06 9:46 p.m.11 views

NPM: 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header

NPM: 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header vulnerability discovered by ? in WordPress Npm 9router versions = 0.4.71...

7.3CVSS5.9AI score0.00515EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/06/29 6:16 p.m.10 views

CVE-2026-57942

LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the getremoteaddress function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attacker...

6.9CVSS0.00192EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/29 5:17 p.m.38 views

CVE-2026-57942 LibreTranslate - IP Spoofing via X-Forwarded-For Header

LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the getremoteaddress function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attacker...

6.9CVSS0.00192EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/29 5:17 p.m.8 views

CVE-2026-57942 LibreTranslate - IP Spoofing via X-Forwarded-For Header

LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the getremoteaddress function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attacker...

6.9CVSS5.9AI score0.00192EPSS
Exploits0References4
OSV
OSV
added 2026/06/29 5:17 p.m.5 views

CVE-2026-57942 LibreTranslate - IP Spoofing via X-Forwarded-For Header

LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the getremoteaddress function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attacker...

6.9CVSS6AI score0.00192EPSS
Exploits0References7
NVD
NVD
added 2026/06/22 6:16 p.m.16 views

CVE-2026-54289

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so...

4.8CVSS0.00114EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 5:16 p.m.35 views

CVE-2026-54289 Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so...

4.8CVSS0.00114EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 5:16 p.m.8 views

CVE-2026-54289

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so...

4.8CVSS5.9AI score0.00114EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/22 5:16 p.m.29 views

CVE-2026-54289

CVE-2026-54289 — Hono Lambda@Edge header handling : On AWS Lambda@Edge, prior to 4.12.25, CloudFront may deliver repeated headers as multiple entries. The Hono Lambda@Edge adapter uses Headers.set for each value, overwriting the previous one, so only the last value reaches the application. Header...

4.8CVSS5.9AI score0.00114EPSS
Exploits0References1
Rows per page
Query Builder