EUVD-2026-38451

FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged /api/system/ endpoints. Because system resolves to the cron admin identity,...

Apache APISIX - Remote Code Execution

A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different...

CVE-2026-34025

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP...

CVE-2026-34025

CVE-2026-34025 affects Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014). The login flow derives the client IP from the HTTP X-Forwarded-For header when present, bypassing IP-based access restrictions tied to a branch location. An attacker with valid branch credentials can manipu...

PT-2026-49196

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP...

CVE-2026-39409

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...

GHSA-XRHX-7G5J-RCJ5 Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

Summary The ip-restriction middleware hono/ip-restriction compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms,...

PT-2026-46873

Summary The ip-restriction middleware hono/ip-restriction compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms,...

CVE-2026-47674

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware hono/ip-restriction compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6...

Incorrect Regular Expression

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Regular Expression via the ip-restriction middleware. An attacker can bypass configured deny rules for IPv6 addresses by submitting non-canonical representations, such as...

CVE-2026-47674

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware hono/ip-restriction compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6...

Palo Alto Networks PAN-OS 10.2.x / 11.1.x / 11.2.x / 12.1.x Vulnerability

The version of Palo Alto Networks PAN-OS running on the remote host is a vulnerable version of 10.2.x, 11.1.x, 11.2.x, or 12.1.x. It is, therefore, affected by a vulnerability. An authentication bypass vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with...

CVE-2026-0300

A buffer overflow vulnerability in the User-ID™ Authentication Portal aka Captive Portal service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. T...

Decidim's comments API allows access to all commentable resources

Impact The root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the /api endpoint. The /api endpoint is publicly available with the default configuration...

CVE-2026-39409 Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...

CVE-2026-39409 Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause...

EUVD-2026-20497

Hono has incorrect IP matching in ipRestriction for IPv4-mapped IPv6 addresses...

PT-2026-31283

Summary ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. Details The middlewar...

CVE-2026-33025 AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although realescapestring was applied, it only escapes...

Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo

Summary When using the AWS Lambda adapter hono/aws-lambda behind an Application Load Balancer ALB, the getConnInfo function incorrectly selected the first value from the X-Forwarded-For header. Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first...