Lucene search
K

1249 matches found

RedHat Linux
RedHat Linux
added 5 days ago3 views

netty-resolver-dns: Netty: Information disclosure and data manipulation due to improper CNAME record validation

A flaw was found in Netty's DnsResolveContext. This vulnerability allows a remote attacker to achieve information disclosure or data manipulation by crafting malicious DNS responses. The flaw occurs because the DnsResolveContext fails to validate the origin bailiwick of CNAME records in DNS...

10CVSS5.9AI score0.00224EPSS
Exploits0References7
NVD
NVD
added 6 days ago13 views

CVE-2026-59723

Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. Prior to 3.0.30, the Cline Hub dashboard server launched by the cline dashboard command accepts WebSocket connections on the /browser endpoint without validating the Origin header, and when ROOMSECRET is unset for loc...

8.8CVSS0.00145EPSS
Exploits0References4
CVE
CVE
added 6 days ago15 views

CVE-2026-59804

Midscene Bridge Server (affected: 1.10.3 and earlier) has a missing authentication and CORS misconfiguration that permits unauthenticated remote hijacking of active bridge sessions via a cross-origin WebSocket to the local Socket.IO server. The server does not validate Origin headers and requires...

7.6CVSS6AI score0.00213EPSS
Exploits0References4
Snyk
Snyk
added 6 days ago4 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error via the CookieJar process. An attacker can access or manipulate cookies belonging to other hosts by exploiting improper domain matching for IP-address or bare-numeric domains. Remediation Upgrade guzzlehttp/guzzl...

6.1CVSS6.1AI score0.00115EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 12:17 p.m.4 views

Missing Origin Validation in WebSockets

Overview @theia/terminal is a Theia - Terminal Extension Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the shell-terminal and terminals/:id WebSocket endpoints when origin validation is bypassed due to missing or manipulated headers. An attacker c...

8.8CVSS6.2AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 12:17 p.m.4 views

Missing Origin Validation in WebSockets

Overview @theia/core is a the main extension for all Theia-based applications, and provides the main framework for all dependent extensions. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the shell-terminal and terminals/:id WebSocket endpoints whe...

8.8CVSS6.2AI score0.00159EPSS
Exploits0References2
NVD
NVD
added 2026/07/03 11:16 a.m.10 views

CVE-2026-10054

In affected versions of Eclipse Theia 1.8.1 and later, the browser backend exposes privileged terminal RPC over WebSocket /services/shell-terminal, /services/terminals/:id without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when...

8.8CVSS0.00159EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/03 10:11 a.m.33 views

CVE-2026-10054

In affected versions of Eclipse Theia 1.8.1 and later, the browser backend exposes privileged terminal RPC over WebSocket /services/shell-terminal, /services/terminals/:id without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when...

8.8CVSS0.00159EPSS
Exploits0References2
CVE
CVE
added 2026/07/03 10:11 a.m.20 views

CVE-2026-10054

The CVE-2026-10054 entry concerns Eclipse Theia (1.8.1 and later) where the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without proper service-level authentication. The vulnerability stems from fail-open WebSocket origin valid...

8.8CVSS6.2AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/02 10:18 p.m.6 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error in the OIDC discovery process when the X-Forwarded-Host header is not validated and no allowed-hosts list is configured. An attacker can manipulate the issuer and JWKS URI in the discovery document by supplying a...

8.2CVSS6AI score0.00246EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-418 MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...

9.6CVSS7.7AI score0.00371EPSS
Exploits1References6
NVD
NVD
added 2026/06/24 9:16 p.m.7 views

CVE-2026-13208

A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity namespace/name solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI...

6.5CVSS0.0009EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/24 8:39 p.m.5 views

EUVD-2026-39087

A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity namespace/name solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI...

6.5CVSS5.8AI score0.0009EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.15 views

PT-2026-52088

Name of the Vulnerable Software and Affected Versions KubeVirt affected versions not specified Description A flaw exists in the KubeVirt virt-handler domain notify server. The gRPC handlers HandleDomainEvent and HandleK8SEvent determine the VMI identity namespace/name based only on the request...

6.5CVSS5.8AI score0.0009EPSS
Exploits0References5
OSV
OSV
added 2026/06/23 12:59 p.m.7 views

JLSEC-2026-614 WebSocket default Origin check ignores scheme and port in HTTP.jl

Description The default WebSocket Origin validator originalloweddefault only enforced the host component of the same-origin tuple. It never checked the Origin's scheme, and when the request Host header carried no explicit port the norm for default-port 80/443 servers, where browsers omit the port...

5.9AI score
Exploits0References2
OSV
OSV
added 2026/06/19 10:10 p.m.20 views

GHSA-869J-R97X-HX2G Anki's local HTTP server does not sufficiently validate requests

Summary Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways: 1. No sufficient validation of the Origin header. 2. Some endpoints are vulnerable to path traversal attacks. This allows malicious...

8.7CVSS5.9AI score0.00181EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/19 10:10 p.m.9 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error via insufficient validation of the Origin header and improper handling of request paths in the local HTTP server. An attacker can access and exfiltrate arbitrary local files by sending crafted requests from a...

8.7CVSS6.1AI score0.00181EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/19 9:15 p.m.4 views

Origin Validation Error

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Origin Validation Error in the GET /dbtplatformcontext endpoint, which is exposed without authentication or host-origin validation. An attacker can...

7.6CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/06/19 9:15 p.m.8 views

Origin Validation Error

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Origin Validation Error via the actionResourceJs process. An attacker can execute arbitrary JavaScript in the context of an administrator's browser and potentially achieve remote code executi...

9.2CVSS6.6AI score0.0033EPSS
Exploits0References2
OSV
OSV
added 2026/06/18 1:52 p.m.3 views

GHSA-VMF9-XX9W-86WX PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools

PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools Summary praisonaiagents.mcp.ToolsMCPServer.runsse builds a Starlette MCP HTTP+SSE server around mcp.server.sse.SseServerTransport. The server exposes /sse and /messages/, but it does not valida...

8.3CVSS5.6AI score
Exploits0References2
Rows per page
Query Builder