Lucene search
K

2202 matches found

Vulnrichment
Vulnrichment
added 2026/05/23 6:30 p.m.10 views

CVE-2018-25349 userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header

userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators...

6.1CVSS5.7AI score0.00155EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/23 6:30 p.m.32 views

CVE-2018-25349 userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header

userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators...

6.1CVSS0.00155EPSS
Exploits0References2
CVE
CVE
added 2026/05/23 6:30 p.m.34 views

CVE-2018-25349

The CVE-2018-25349 vulnerability affects userSpice 4.3.24. A cross-site scripting flaw arises from crafted X-Forwarded-For header values sent to backup.php, with scripts executing when administrators visit the audit log page. This is the explicit impact described in the connected records. No reme...

6.1CVSS5.7AI score0.00155EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/23 6:30 p.m.10 views

CVE-2018-25349

userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators...

6.1CVSS5.7AI score0.00155EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/05/22 5:32 a.m.9 views

Improper Check for Dropped Privileges

Overview Affected versions of this package are vulnerable to Improper Check for Dropped Privileges due to the omission of constraint extensions such as [email protected] when adding a key to a remote agent. An attacker can bypass intended key usage restrictions by forwarding ke...

9.1CVSS5.8AI score0.00346EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/22 2:31 a.m.64 views

CVE-2026-39832 Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all...

0.00346EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/05/22 12:0 a.m.8 views

Unity Linux 20.1060e / 20.1070e Security Update: lighttpd (UTSA-2026-016637)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016637 advisory. In lighttpd 1.4.46 through 1.4.63, the modextforwardForwarded function of the modextforward plugin has a stack-based buffer overflow 4 bytes representing -1, as...

5.9CVSS6.6AI score0.08969EPSS
Exploits1References4
NVD
NVD
added 2026/05/20 7:16 a.m.11 views

CVE-2026-2955

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

6.4CVSS0.00223EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux – Vulnerability in golang-github-gin-gonic-gin

This affects all versions of the package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client’s IP address can be spoofed by setting the X-Forwarded-For header...

7.1CVSS7AI score0.01316EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.8 views

Astra Linux – Vulnerability in Ruby-Rack

Rack is a modular Ruby web server interface. Carefully crafted headers may cause header parsing in Rack to take longer than expected, potentially leading to a denial-of-service issue. The Accept and Forwarded headers are affected. Ruby 3.2 includes fixes for this problem, so Rack applications tha...

7.5CVSS6.1AI score0.01996EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.2 views

Astra Linux – Vulnerability in Tomcat9

When using RemoteIpFilter with requests received from a reverse proxy via HTTP that includes the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71, and 8.5.0 to 8.5.85 did not include the secure...

4.3CVSS6.8AI score0.01831EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux – Vulnerability in Apache2

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded- headers to the origin server based on the client-side Connection header hop-by-hop mechanism. This could be used to bypass IP-based authentication on the origin server/application...

9.8CVSS8AI score0.0314EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/20 5:31 a.m.10 views

CVE-2026-2955 AI Chatbot & Workflow Automation by AIWU <= 1.4.14 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For' Header

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

6.4CVSS6AI score0.00223EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/20 5:31 a.m.7 views

CVE-2026-2955

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

6.4CVSS6AI score0.00223EPSS
Exploits0References3
CVE
CVE
added 2026/05/20 5:31 a.m.22 views

CVE-2026-2955

CVE-2026-2955 affects the WordPress plugin “AI Chatbot & Workflow Automation by AIWU” up to version 1.4.14. The issue is a Stored Cross-Site Scripting (XSS) vulnerability that can be triggered via the X-Forwarded-For header due to insufficient input sanitization and output escaping. It is exploit...

6.4CVSS6AI score0.00223EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/20 5:31 a.m.42 views

CVE-2026-2955 AI Chatbot & Workflow Automation by AIWU <= 1.4.14 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For' Header

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

6.4CVSS0.00223EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.14 views

PT-2026-42107

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

6.4CVSS6AI score0.00223EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.9 views

WordPress plugin AI Chatbot & Workflow Automation by AIWU 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.4CVSS5.8AI score0.00223EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/14 9:22 p.m.6 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...

6.9CVSS5.7AI score0.0043EPSS
Exploits0References2
CVE
CVE
added 2026/05/14 7:3 p.m.40 views

CVE-2026-46356

Fleet (open-source device management) before v4.80.1 is vulnerable: an IP extraction flaw lets unauthenticated attackers bypass per-IP rate limits by rotating headers like True-Client-IP, X-Real-IP, or X-Forwarded-For, enabling brute-force or credential stuffing on exposed instances. Root cause: ...

7.5CVSS5.8AI score0.00276EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder