Neotoma 访问控制错误漏洞

Neotoma is a locally prioritized open-source tool developed by Mark Hendrickson as an AI agent for managing state and records across various tools. Versions of Neotoma from 0.6.0 to 0.11.1 contained an access control vulnerability. This vulnerability occurred when the application received request...

Server-Side Request Forgery (SSRF)

Axios is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to inadequate hostname normalization and reliance on string matching in proxy bypass logic, which allows an attacker to route local requests through a proxy instead of bypassing it...

CVE-2026-35634

OpenClaw Canvas Gateway is affected by an authentication bypass in versions before 2026.3.23. The issue stems from authorizeCanvasRequest() unconditionally allowing local-direct requests without validating bearer tokens or canvas capabilities, enabling unauthenticated loopback HTTP and WebSocket ...

CVE-2021-41238

Hangfire is an open source system to perform background job processing in a .NET or .NET Core applications. No Windows Service or separate process required. Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal where an attacker can traverse the file system and access files outside of the intended directory. PoC 1 Install the files-bucket-server package: npm install files-bucket-server 2 Create a new directory: mkdir...

CVE-2022-41942

Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the /list-gitolite endpoint. It...

CVE-2024-8042 Rapid7 Insight Platform Unauthorized Empty Group Creation

Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect...

CVE-2024-8042 Rapid7 Insight Platform Unauthorized Empty Group Creation

Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect...

Rapid7 Insight Platform 安全漏洞

Rapid7 Insight Platform is a platform for managing profiles, users, products, API keys, and settings from Rapid7 USA. A security vulnerability exists in Rapid7 Insight Platform that stems from the inclusion of an authorization missing issue that allows an attacker to intercept local requests to s...

PT-2023-28995 · Arduino · Arduino Create Agent

Name of the Vulnerable Software and Affected Versions: Arduino Create Agent versions prior to 1.3.3 Description: The issue affects the endpoint "/upload" which handles requests with the filename parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able ...

USN-4970-1 gupnp vulnerability

It was discovered that GUPnP incorrectly filtered local requests. If a user were tricked into visiting a malicious website, a remote attacker could possibly use this issue to perform actions against local UPnP services such as obtaining or altering sensitive information...