Astra Linux - уязвимость в firefox

The Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user’s browser to control it. This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.. This vulnerability...

CVE-2026-44514

Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to th...

CVE-2026-44514

Kubetail vulnerability (CVE-2026-44514) is a CSWSH flaw where the dashboard exposed WebSocket endpoints before 0.14.0 did not properly validate the Origin header, allowing an attacker to read authenticated users’ Kubernetes logs via a malicious page. Affected components and versions: Kubetail Das...

EUVD-2026-30331

Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to th...

CVE-2026-44514 Kubetail: Cross-Site WebSocket Hijacking allows attacker to read Kubernetes logs from authenticated users

Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to th...

Kubetail 安全漏洞

Kubetail is an open-source Kubernetes real-time log monitoring dashboard developed by Kubetail. Versions of Kubetail prior to 0.14.0 contained security vulnerabilities. These vulnerabilities stemmed from insufficient validation of the Origin header at WebSocket endpoints, which could lead to...

CVE-2026-6402 webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for...

Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability

Summary The kanban npm package used by the cline CLI starts a WebSocket server on 127.0.0.1:3484 with no Origin header validation. Any website a developer visits can silently connect to the kanban server via WebSocket and: 1. Leak sensitive data in real-time: workspace filesystem paths, task...

GHSA-V8J7-HP7C-738F Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...

Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...

PT-2026-38411

Name of the Vulnerable Software and Affected Versions Kubetail Dashboard versions prior to 0.14.0 Kubetail Helm Chart versions prior to 0.23.0 Kubetail CLI versions prior to 0.16.0 Description Kubetail's dashboard exposes WebSocket endpoints that do not adequately validate the Origin header durin...

SUSE CVE-2026-32689

Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling. In 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson,...

CVE-2026-40110

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

CVE-2026-40110 jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

CVE-2026-40110

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

Cross-site Request Forgery (CSRF)

Overview jupyterhub is a JupyterHub: A multi-user server for Jupyter notebooks Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the handling of HTTP form endpoints when requests with the Sec-Fetch-Mode: no-cors header are incorrectly treated as same-origin,...

GHSA-24QX-W28J-9M6P Jupyter Server has a CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat` (from huntr)

Jupyter Server uses re.match to validate the Origin header against the alloworiginpat configuration. Since re.match only anchors at the start of the string, an attacker who controls a domain like http://trusted.example.com.evil.com/ passes validation against a pattern intended to match only...

Jupyter Server 安全漏洞

Jupyter Server is an application developed by the Jupyter organization that provides backend services for Jupyter web applications. Jupyter Server versions 2.17.0 and earlier contain security vulnerabilities. These vulnerabilities stem from the Origin header validation mechanism, which uses...

📄 Traccar GPS Tracking System 6.11.1 Cross-Site WebSocket Hijacking

Traccar GPS Tracking System version 6.11.1 cross-site websocket hijacking proof of concept exploit. Exploit Title: Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking CSWSH Date: 2026-02-26 Exploit Author: Hazar Taspinar Vendor Homepage: https://www.traccar.org/ Software Link:...

Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)

Exploit Title: Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking CSWSH Date: 2026-02-26 Exploit Author: Hazar Taspinar Vendor Homepage: https://www.traccar.org/ Software Link: https://github.com/traccar/traccar Version: = 6.11.1 Tested on: Windows 11 / Linux CVE: CVE-2025-68930...