Lucene search
K

24 matches found

Cvelist
Cvelist
added yesterday22 views

CVE-2026-55501 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header

9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail...

7.3CVSS
Exploits0References3
OSV
OSV
added 2026/04/02 6:42 p.m.10 views

GO-2026-4916 Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server

Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

6.5CVSS5.9AI score0.00305EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.5 views

PT-2026-29956

Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

6.5CVSS5.9AI score0.00305EPSS
Exploits0References4
Snyk
Snyk
added 2026/03/25 6:31 p.m.4 views

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS due to the lack of rate limiting in the login process. An attacker can exhaust server resources by sending a large number of parallel login requests via a single HTTP/2 packet, potentially causing the server to cra...

6.5CVSS6AI score0.00305EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/25 6:31 p.m.4 views

EUVD-2026-15756

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service server crash and restart via HTTP/2 single packet attack with 100+ parallel login requests...

4.3CVSS5.8AI score0.00305EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.19 views

PT-2026-27961

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.4.0 and earlier Mattermost versions 11.3.1 and earlier Mattermost versions 11.2.3 and earlier Mattermost versions 10.11.11 and earlier Description The software does not adequately limit the rate of login requests. This...

6.5CVSS5.9AI score0.60368EPSS
Exploits18References43
EUVD
EUVD
added 2026/03/17 6:30 p.m.7 views

EUVD-2026-12608

JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials...

9.3CVSS5.8AI score0.00488EPSS
Exploits0References5
CVE
CVE
added 2026/03/17 5:19 p.m.35 views

CVE-2026-32295

CVE-2026-32295 affects JetKVM prior to version 0.5.4, where there is no rate limiting on login attempts. This enables brute-force attempts to guess credentials, exposing potential unauthorized access. The vulnerability is mitigated by upgrading to version 0.5.4 (fix referenced in multiple sources...

9.3CVSS5.8AI score0.00488EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/01/09 12:0 a.m.6 views

EUVD-2026-1679

A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack...

6.5CVSS6.5AI score0.00367EPSS
Exploits0References3
NVD
NVD
added 2026/01/05 9:16 p.m.6 views

CVE-2025-64422

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables...

6.9CVSS0.00252EPSS
Exploits1References1
OSV
OSV
added 2026/01/05 8:29 p.m.9 views

CVE-2025-64422 Rate-limit bypass on login via X-Forwarded-Host header

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables...

6.9CVSS6.8AI score0.00252EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/01/05 8:29 p.m.26 views

CVE-2025-64422 Rate-limit bypass on login via X-Forwarded-Host header

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables...

6.9CVSS0.00252EPSS
Exploits1References1
EUVD
EUVD
added 2026/01/05 8:29 p.m.5 views

EUVD-2025-206238

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables...

6.9CVSS6.3AI score0.00252EPSS
Exploits1References1
OSV
OSV
added 2025/12/15 11:18 p.m.6 views

CVE-2025-66482 Misskey has a login rate limit bypass via spoofed X-Forwarded-For header

Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option trustProxy has been added in config file to...

6.9CVSS6.8AI score0.00285EPSS
Exploits1References4
CVE
CVE
added 2025/12/15 11:18 p.m.17 views

CVE-2025-66482

Misskey CVE-2025-66482 affects the login rate-limiting mechanism via forged X-Forwarded-For headers. The vulnerability arises from an insecure default for trustProxy in the config, making instances vulnerable if not explicitly overridden. It is addressable starting with version 2025.9.1 by introd...

6.9CVSS6.5AI score0.00285EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/15 8:59 p.m.7 views

Misskey has a login rate limit bypass via spoofed X-Forwarded-For header

Summary When using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option trustProxy has been added in config file to prevent this from happening. However, it is...

6.9CVSS6.9AI score0.00285EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2025/12/15 8:59 p.m.6 views

GHSA-WWRJ-3HVJ-PRPM Misskey has a login rate limit bypass via spoofed X-Forwarded-For header

Summary When using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option trustProxy has been added in config file to prevent this from happening. However, it is...

6.9CVSS6.8AI score0.00285EPSS
Exploits1References4
OSV
OSV
added 2025/08/11 5:24 p.m.4 views

GO-2025-3842 Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability in github.com/hashicorp/vault

Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability in github.com/hashicorp/vault...

5.7CVSS7.1AI score0.00286EPSS
Exploits0References3
OSV
OSV
added 2025/06/25 5:15 p.m.3 views

DEBIAN-CVE-2025-52576

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine vali...

5.3CVSS5.4AI score0.00299EPSS
Exploits0References1
OSV
OSV
added 2024/10/04 1:15 p.m.4 views

CVE-2024-47656

This vulnerability exists in Shilpi Client Dashboard due to missing restrictions for incorrect login attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack on password, which could lead to gain unauthorized access to other user...

9.8CVSS5.8AI score0.00488EPSS
Exploits0References1
Rows per page
Query Builder