Lucene search
K

125 matches found

Github Security Blog
Github Security Blog
added 2026/02/03 8:49 p.m.8 views

Qwik City has a CSRF Protection Bypass via Content-Type Header Validation

Summary Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. Impact A vulnerability in checkCSRF lets an attacke...

5.9CVSS5.6AI score0.00159EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.13 views

PT-2026-6472

Summary Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. Impact A vulnerability in checkCSRF lets an attacke...

5.9CVSS5.6AI score0.00159EPSS
Exploits0References5
OSV
OSV
added 2026/01/08 1:20 a.m.5 views

CVE-2026-21883 Bokeh server applications have Incomplete Origin Validation in WebSockets

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

7.4CVSS6.3AI score0.00159EPSS
Exploits1References5
CVE
CVE
added 2025/12/19 7:16 a.m.10 views

CVE-2025-66500

CVE-2025-66500 describes a stored XSS in Foxit’s webplugins.foxit.com where a postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, enabling arbitrary JavaScript execution when a crafted postMessage is received. The description is consisten...

6.3CVSS5.5AI score0.00173EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2025/11/08 12:55 a.m.15 views

CVE-2025-63716

The SourceCodester Leads Manager Tool v1.0 is vulnerable to Cross-Site Request Forgery CSRF attacks that allow unauthorized state-changing operations. The application lacks CSRF protection mechanisms such as anti-CSRF tokens or same-origin verification for critical endpoints...

6.5CVSS7AI score0.00145EPSS
Exploits1References1
OSV
OSV
added 2025/11/07 6:15 p.m.4 views

CVE-2025-63716

The SourceCodester Leads Manager Tool v1.0 is vulnerable to Cross-Site Request Forgery CSRF attacks that allow unauthorized state-changing operations. The application lacks CSRF protection mechanisms such as anti-CSRF tokens or same-origin verification for critical endpoints...

6.5CVSS5.8AI score0.00145EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/11/07 12:0 a.m.3 views

CVE-2025-63716

The SourceCodester Leads Manager Tool v1.0 is vulnerable to Cross-Site Request Forgery CSRF attacks that allow unauthorized state-changing operations. The application lacks CSRF protection mechanisms such as anti-CSRF tokens or same-origin verification for critical endpoints...

6.5AI score0.00145EPSS
Exploits1References2
CVE
CVE
added 2025/11/07 12:0 a.m.12 views

CVE-2025-63716

The CVE-2025-63716 entry concerns SourceCodester Leads Manager Tool v1.0, which is vulnerable to Cross-Site Request Forgery (CSRF). The root cause stated across sources is lack of CSRF protection mechanisms (no anti-CSRF tokens and no same-origin verification) on critical endpoints, enabling unau...

6.5CVSS6.6AI score0.00145EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2025/10/27 9:15 p.m.33 views

CVE-2025-62523

PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing CORS misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper...

6.3CVSS0.00186EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/10/27 8:10 p.m.4 views

CVE-2025-62523 PILOS Misconfigured the Access-Control-Allow-Origin Header

PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing CORS misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper...

6.3CVSS6.5AI score0.00186EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2018-17927

Malware in sbrugna...

6.5CVSS7.9AI score0.01663EPSS
Exploits0References9
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-12646

Malware in sbrugna...

6.1CVSS7.2AI score0.00384EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-17856

Malware in sbrugna...

6.5CVSS7.9AI score0.01597EPSS
Exploits0References10
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-4630

Malware in sbrugna...

6.1CVSS6.3AI score0.03125EPSS
Exploits1References2
Veracode
Veracode
added 2025/09/08 8:9 a.m.5 views

Cross-Site WebSocket Hijacking (CSWSH)

github.com/komari-monitor/komari is vulnerable to Cross-Site WebSocket Hijacking CSWSH. The vulnerability is due to disabled origin checking in the WebSocket upgrader, which allows an attacker to send malicious requests using a victim’s browser cookies and achieve remote code execution...

8.6CVSS7.3AI score0.00515EPSS
Exploits0References2Affected Software1
Tenable Nessus
Tenable Nessus
added 2025/08/30 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2025-25748

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A CSRF vulnerability in the gestioneutenti.php endpoint of HotelDruid 3.0.7 allows attackers to perform unauthorized actions e.g., modifying user passwords on...

7.3CVSS5.4AI score0.00395EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2025/08/20 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2018-6093

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient origin checks in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page...

6.5CVSS7.4AI score0.01597EPSS
Exploits0References2
CVE
CVE
added 2025/08/18 5:41 p.m.145 views

CVE-2025-55300

CVE-2025-55300 affects the GitHub project github.com/komari-monitor/komari (Komari) and is caused by the WebSocket upgrader disabling origin checking, which enables Cross-Site WebSocket Hijacking (CSWSH) against authenticated users. An attacker can craft requests to the terminal WebSocket endpoin...

8.6CVSS7.7AI score0.00515EPSS
Exploits0References2
OSV
OSV
added 2025/08/12 12:13 a.m.9 views

GHSA-Q355-H244-969H Komari vulnerable to Cross-site WebSocket Hijacking

Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated users Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.goL33-L35 Any third party website can send request...

8.6CVSS7.7AI score0.00515EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2025/08/12 12:13 a.m.14 views

Komari vulnerable to Cross-site WebSocket Hijacking

Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated users Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.goL33-L35 Any third party website can send request...

7.7AI score
Exploits0References5Affected Software1
Rows per page
Query Builder