traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)

Impact There is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port,...

Brute Force

Overview Affected versions of this package are vulnerable to Brute Force via the authentication rate limiting process. An attacker can bypass authentication rate limiting by forging the X-Real-IP header, allowing unlimited authentication attempts from a single source. Remediation Upgrade...

CVE-2026-27981

HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter authRateLimiter tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr TCP connection...

CVE-2026-27981

HomeBox vulnerability CVE-2026-27981 allows an attacker to bypass authentication rate limiting by spoofing client IPs via X-Real-IP and manipulating X-Forwarded-For, since the authRateLimiter reads these headers and r.RemoteAddr unconditionally, with RealIP middleware overwriting the remote addre...

CVE-2026-27981 HomeBox has an Auth Rate Limit Bypass via IP Spoofing

HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter authRateLimiter tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr TCP connection...

EUVD-2026-9346

HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter authRateLimiter tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr TCP connection...

CVE-2026-27981

HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter authRateLimiter tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr TCP connection...

HomeBox 安全漏洞

HomeBox is an open-source system developed by SysAdmins Media for home users. Versions of HomeBox prior to 0.24.0 contained security vulnerabilities. These vulnerabilities stemmed from the identity authentication rate limiter unconditionally reading and trusting headers like X-Real-IP, with...

CVE-2026-0692

The CVE-2026-0692 entry concerns the BlueSnap Payment Gateway for WooCommerce WordPress plugin. Affected component: the plugin (up to version 3.3.0). Root cause: it validates IPN requests by relying on WooCommerce’s WC_Geolocation::get_ip_address(), which trusts user-controllable headers (e.g., X...

RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

Summary IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. Details - Vulnerable code: rustfs/src/auth.rs:289-304 sets...

CVE-2026-21862 RustFS sourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy...

CVE-2020-37056

The CVE-2020-37056 entry concerns Crystal Shard http-protection 0.2.0, where an IP-spoofing flaw allows bypass of protection middleware by crafting headers. Specifically, attackers can set consistent values in X-Forwarded-For, X-Client-IP, and X-Real-IP to defeat checks and gain unauthorized acce...

Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

Summary IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP...

EUVD-2026-2681

An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS allows an unauthenticated, network-adjacent attacker sending a specifically malformed ICMP packet to cause an FPC to crash and restart, resulting in a Denial of Service DoS. When an ICMP...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-003300)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003300 advisory. The IP stack in the Linux kernel before 4.6 allows remote attackers to cause a denial of service stack consumption and panic or possibly have unspecified other impac...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-002322)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002322 advisory. The netgetrandomonce implementation in net/core/utils.c in the Linux kernel 3.13.x and 3.14.x before 3.14.5 on certain Intel processors does not perform the intended...

PT-2026-1292

Name of the Vulnerable Software and Affected Versions Mega-Fence versions 25.1.914 and prior Description The software does not validate a trusted proxy chain when using the X-Forwarded-For XFF header to determine the client IP address. An attacker can manipulate the XFF header to spoof the client...

CVE-2025-66577 cpp-httplib Untrusted HTTP Header Handling: X-Forwarded-For/X-Real-IP Trust

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can supply X-Forwarded-For or X-Real-IP headers which...

CVE-2025-51663

FileCodeBox (up to 2.2) includes an IP rate-limiting flaw in the IPRateLimit implementation that lets remote attackers bypass ip-based rate limits and failed attempt restrictions by forging X-Real-IP and X-Forwarded-For headers. This can enable DoS or brute-force sharing code attempts. Affected c...

CVE-2025-12094

The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments No CAPTCHA plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers such as CF-Connecting-IP, X-Forwarded-For,...