6 matches found
CVE-2026-53869
CVE-2026-53869 : Hermes Agent prior to 0.16.0 has a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. The FastAPI HTTP middleware is not executed for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events, ena...
Unintended Proxy or Intermediary ('Confused Deputy')
Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via permissive user proxy...
CVE-2026-35253
Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this...
GHSA-6CF5-W9H3-4RQV Denied Host Validation Bypass in Zitadel Actions
Summary A flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost 127.0.0.1. The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables...
CVE-2024-49753 Denied Host Validation Bypass in Zitadel Actions
Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost 127.0.0.1. The isHostBlocked...
keycloak: redirect_uri validation bypass
A flaw was found in the redirecturi validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users...