Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3340 (ALAS-2026-3340)

The version of thunderbird installed on the remote host is prior to 140.11.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3340 advisory. Three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming th...

CVE-2026-6402

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for...

CVE-2026-6402

The CVE-2026-6402 entry concerns webpack-dev-server (versions up to 5.2.3) and a cross-origin source code exposure when served over non-HTTPS/or untrusted origins. The root cause is that the prior fix relied on Sec-Fetch-Mode and Sec-Fetch-Site headers, which browsers omit for non-trustworthy ori...

CVE-2026-6402 webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for...

curl: HSTS accepted from HTTP origin behind HTTPS proxy

curl/libcurl appears to accept and persist Strict-Transport-Security from an http:// origin when the request is sent through an https:// proxy. After that, a later http:// request for the same host is automatically upgraded to https:// due to stored HSTS state. Affected versions 8.12.0 through...

CVE-2025-47909

Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin...

CVE-2025-47909 Improper validation of TrustedOrigins allows CSRF attacks in github.com/gorilla/csrf

Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin...

PT-2025-35244

Name of the Vulnerable Software and Affected Versions: Go affected versions not specified Description: Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, potentially enabling network attackers to perform Cross-Site Request Forgery CSRF attacks. Following...

The vulnerability of the VMware Workspace ONE Access application management platform, the VMware Cloud Foundation virtualization platform, the VMware vRealize Automation virtual infrastructure management tool, the vRealize Suite Lifecycle Manager application lifecycle management software, and the VMware Identity Manager (vIDM) administration console lies in insufficient checks on the HTTP request source. This allows attackers to carry out CSRF attacks.

The vulnerabilities of the application management platform VMware Workspace ONE Access, the virtualization platform VMware Cloud Foundation, the virtual infrastructure management tool VMware vRealize Automation, the application lifecycle management software vRealize Suite Lifecycle Manager, and t...

Ubuntu: Security Advisory (USN-3452-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Multiple Vulnerabilities in jforum

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in jforum, which can be exploited to perform Cross-Site Scripting XSS and Cross-Site Request Forgery CSRF attacks. 1 Multiple Cross-Site scripting XSS vulnerabilities in jforum: CVE-2012-6445 1.1 The vulnerability exists d...