Lucene search
+L

9 matches found

CVE
CVE
โ€ขadded yesterdayโ€ข49 views

CVE-2026-48022

The CVE concerns @hapi/wreck, an HTTP client utility. Before version 18.1.2, it forwarded credential headers (Authorization, Cookie, Proxy-Authorization) across cross-origin redirects because the origin check only compared hostnames and ignored scheme and port. This allowed credentials to flow ac...

6.5CVSS5.3AI score0.0001EPSS
Exploits0References4
CVE
CVE
โ€ขadded yesterdayโ€ข37 views

CVE-2026-44979

CVE-2026-44979 affects the @hapi/wreck HTTP client. Before 18.1.1, when following a 3xx redirect to a different hostname, the Proxy-Authorization header was not stripped (unlike Authorization and Cookie), potentially exposing forward-proxy credentials to the redirect target. The issue is fixed in...

6.3CVSS5.2AI score0.00054EPSS
Exploits0References4
OSV
OSV
โ€ขadded 2026/07/10 9:17 a.m.โ€ข4 views

ROOT-APP-NPM-CVE-2026-48022 CVE-2026-48022 in @rootio/hapi__wreck - Patched by Root

Root has patched CVE-2026-48022 in the @rootio/hapiwreck package for Root:npm. Multiple fixed versions available...

6.5CVSS6.1AI score0.0001EPSS
Exploits0
OSV
OSV
โ€ขadded 2026/07/10 9:17 a.m.โ€ข7 views

ROOT-APP-NPM-CVE-2026-44979 CVE-2026-44979 in @rootio/hapi__wreck - Patched by Root

Root has patched CVE-2026-44979 in the @rootio/hapiwreck package for Root:npm. Multiple fixed versions available...

6.3CVSS5.8AI score0.00054EPSS
Exploits0
OSV
OSV
โ€ขadded 2026/06/11 1:27 p.m.โ€ข10 views

GHSA-X426-X7CC-3FPC @hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects

Impact Wreck strips credential headers Authorization, Cookie, Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP...

6.5CVSS5.5AI score0.0001EPSS
Exploits0References3
vulnersOsv
vulnersOsv
โ€ขadded 2026/05/27 12:38 a.m.โ€ข6 views

@userfront/bell (>=5.2.3-0 <=6.0.0), ffc-auth (>=0.1.0 <=0.13.0-alpha.2) +1 more potentially affected by CVE-2026-44979 via @hapi/wreck (>=18.0.0 <=18.0.1)

@hapi/wreck NPM version =18.0.0, =5.2.3-0, =0.1.0, =1.0.2, =1.0.4 Source cves: CVE-2026-44979 Source advisory: SNYK:JS-HAPIWRECK-16881586...

5.4AI score0.00054EPSS
Exploits0
vulnersOsv
vulnersOsv
โ€ขadded 2026/05/27 12:38 a.m.โ€ข8 views

20yearrewards (>=1.0.7 <=1.0.8), 3id-test-helper (>=1.0.0 <=1.0.4) +1062 more potentially affected by CVE-2026-44979 via @hapi/wreck (>=15.1.0 <=18.0.1)

@hapi/wreck NPM version =15.1.0, =1.0.7, =1.0.0, =0.24.0, =2.0.2, =6.8.2, =1.4.0, =1.0.0, =0.0.2, =1.0.0, =1.6.0, =1.7.10 and more Source cves: CVE-2026-44979 Source advisory: OSV:GHSA-VHJM-W67Q-G75C...

5.7AI score0.00054EPSS
Exploits0
OSV
OSV
โ€ขadded 2026/05/27 12:38 a.m.โ€ข11 views

GHSA-VHJM-W67Q-G75C @hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects

Impact When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the...

6.3CVSS5.8AI score0.00054EPSS
Exploits0References4
Positive Technologies
Positive Technologies
โ€ขadded 2026/05/27 12:0 a.m.โ€ข13 views

PT-2026-43631

Name of the Vulnerable Software and Affected Versions @hapi/wreck versions prior to 18.1.1 Description When following a 3xx redirect to a different hostname, the utility only strips the Authorization and Cookie headers. The Proxy-Authorization credential header is forwarded intact to the redirect...

6.3CVSS5.3AI score0.00054EPSS
Exploits0References12
Rows per page
Query Builder