8218 matches found
CVE-2026-25771 Wazuh Vulnerable to Denial of Service via Synchronous I/O Blocking in Asynchronous Authentication Middleware
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.3.0 and prior to version 4.14.3, a Denial of Service DoS vulnerability exists in the Wazuh API authentication middleware middlewares.py. The application uses an asynchronous event...
EUVD-2026-12620
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.3.0 and prior to version 4.14.3, a Denial of Service DoS vulnerability exists in the Wazuh API authentication middleware middlewares.py. The application uses an asynchronous event...
CVE-2026-25771 Wazuh Vulnerable to Denial of Service via Synchronous I/O Blocking in Asynchronous Authentication Middleware
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.3.0 and prior to version 4.14.3, a Denial of Service DoS vulnerability exists in the Wazuh API authentication middleware middlewares.py. The application uses an asynchronous event...
CVE-2026-25771
Wazuh vulnerability CVE-2026-25771 affects versions 4.3.0 through prior to 4.14.3. The DoS arises in the API authentication middleware: the async Starlette/Asyncio loop calls a synchronous generate_keypair function that performs blocking disk I/O on every request with a Bearer token, allowing an ...
Exploit for Incorrect Authorization in Vercel Next.Js
CVE-2025-29927 — Next.js Middleware Authentication Bypass...
PT-2026-25990
Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a...
Wazuh 资源管理错误漏洞
Wazuh is an open-source application developed by Wazuh. It is used for collecting, summarizing, indexing, and analyzing security data, helping organizations detect intrusions, threats, and abnormal behaviors. Versions of Wazuh from 4.3.0 to 4.14.3 contained a resource management vulnerability. Th...
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
Summary Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain...
GHSA-HHCG-R27J-FHV9 Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
Summary Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain...
Malicious code in fastapi-middleware-cors (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 305178589615e2247b892b3e305e5fd69a0fc02092f0b115b6b384441f5ddd46 Library disguised as FastAPI helper is executing obfuscated code during importing the module. The code is highly obfuscated; the code seems to contain an...
EUVD-2026-12097
Parse Server's GraphQL WebSocket endpoint bypasses security middleware...
Scrapy: Arbitrary Module Import via Referrer-Policy Header in RefererMiddleware
Impact Since version 1.4.0, Scrapy respects the Referrer-Policy response header to decide whether and how to set a Referer header on follow-up requests. If the header value looked like a valid Python import path, Scrapy would import the referenced object and call it, assuming it referred to a...
GHSA-CWXJ-RR6W-M6W7 Scrapy: Arbitrary Module Import via Referrer-Policy Header in RefererMiddleware
Impact Since version 1.4.0, Scrapy respects the Referrer-Policy response header to decide whether and how to set a Referer header on follow-up requests. If the header value looked like a valid Python import path, Scrapy would import the referenced object and call it, assuming it referred to a...
Missing Critical Step in Authentication
Overview Affected versions of this package are vulnerable to Missing Critical Step in Authentication via the OIDC authorize process. An attacker can gain unauthorized access to valid OIDC tokens by leveraging a session where only the password has been verified but the second authentication factor...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the token endpoint. An attacker can obtain access tokens for users who have not authorized their application by exchanging intercepted authorization codes issued to other clients. Note: This is only exploitabl...
Authentication Bypass Using an Alternate Path or Channel
Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the SCIM API when URL-encoded path values are used. An attacker can access sensitive user information, including names, email addresses, phone numbers, addresses, external IDs,...
Malicious code in locale-clamp-middleware (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e27ac52023546a1eba07c629b78779bf6d13280f732fce7b0d66c18a660d90e6 The package locale-clamp-middleware was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-1348 Malicious code in locale-clamp-middleware (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e27ac52023546a1eba07c629b78779bf6d13280f732fce7b0d66c18a660d90e6 The package locale-clamp-middleware was found to contain malicious code. Source: ossf-package-analysis...
SUSE CVE-2026-31801
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot's dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...
CVE-2026-31816
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...