CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 3 days ago•10 views

CVE-2026-6657

CVE-2026-6657 affects jupyter-server 1.12.0–2.17.0. Root cause: using re.match() to validate the Origin header in allow_origin_pat, causing attacker-controlled domains like trusted.example.com.evil.com to bypass CORS origin checks. Impact stated across CORS headers, WebSocket connections, referer...

6.1CVSS6.6AI score0.00022EPSS

EUVD•added 2026/05/28 12:30 a.m.•8 views

EUVD-2026-32672

Vulnerable to DNS rebinding attacks when using SSE http://b/499408790. During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: header in the SSE initialization handler was inadvertentl...

9.4CVSS5.8AI score0.00024EPSS

Exploits0References3

NVD•added 2026/05/27 11:16 p.m.•14 views

CVE-2026-9739

9.4CVSS0.00024EPSS

Tenable Nessus•added 2026/05/22 12:0 a.m.•7 views

Unity Linux 20.1060e / 20.1070e Security Update: ceph (UTSA-2026-016657)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016657 advisory. A flaw was found in the Red Hat Ceph Storage RadosGW Ceph Object Gateway in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers vi...

6.5CVSS6.4AI score0.00857EPSS

Exploits0References4

OSV•added 2026/05/20 3:38 p.m.•2 views

GHSA-M837-XVXR-VQWG Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage

Summary The TTS generation endpoint sets Access-Control-Allow-Origin: as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials. Root Cause typescript //...

6.9CVSS5.8AI score

AstraLinux•added 2026/05/20 5:53 a.m.•6 views

Astra Linux - уязвимость в firefox

The Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user’s browser to control it. This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.. This vulnerability...

6.5CVSS6.9AI score0.00235EPSS

AstraLinux•added 2026/05/20 5:53 a.m.•3 views

Astra Linux - уязвимость в apache2

An HTTP response smuggling vulnerability exists in the Apache HTTP Server via modproxyuwsgi. This issue affects the Apache HTTP Server version 2.4.30 through 2.4.55. Special characters in the origin response header can cause the response forwarded to the client to be truncated or split...

7.5CVSS7.1AI score0.00667EPSS

RedhatCVE•added 2026/05/16 1:56 a.m.•7 views

CVE-2026-44514

Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to th...

CVE•added 2026/05/14 4:20 p.m.•9 views

CVE-2026-44514

Kubetail vulnerability (CVE-2026-44514) is a CSWSH flaw where the dashboard exposed WebSocket endpoints before 0.14.0 did not properly validate the Origin header, allowing an attacker to read authenticated users’ Kubernetes logs via a malicious page. Affected components and versions: Kubetail Das...

Cvelist•added 2026/05/14 4:20 p.m.•32 views

CVE-2026-44514 Kubetail: Cross-Site WebSocket Hijacking allows attacker to read Kubernetes logs from authenticated users

6.5CVSS0.00006EPSS

EUVD•added 2026/05/14 4:20 p.m.•6 views

EUVD-2026-30331

CNNVD•added 2026/05/14 12:0 a.m.•7 views

Kubetail 安全漏洞

Kubetail is an open-source Kubernetes real-time log monitoring dashboard developed by Kubetail. Versions of Kubetail prior to 0.14.0 contained security vulnerabilities. These vulnerabilities stemmed from insufficient validation of the Origin header at WebSocket endpoints, which could lead to...

6.5CVSS5.7AI score0.00006EPSS

Cvelist•added 2026/05/12 7:45 a.m.•30 views

CVE-2026-6402 webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for...

5.3CVSS0.00032EPSS

Github Security Blog•added 2026/05/08 8:43 p.m.•9 views

Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability

Summary The kanban npm package used by the cline CLI starts a WebSocket server on 127.0.0.1:3484 with no Origin header validation. Any website a developer visits can silently connect to the kanban server via WebSocket and: 1. Leak sensitive data in real-time: workspace filesystem paths, task...

9.6CVSS6.2AI score0.00019EPSS

Exploits1References2Affected Software1

Github Security Blog•added 2026/05/07 2:34 a.m.•10 views

Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...

Exploits0References3Affected Software2

OSV•added 2026/05/07 2:34 a.m.•5 views

GHSA-V8J7-HP7C-738F Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Positive Technologies•added 2026/05/07 12:0 a.m.•8 views

Exploits0References3

PT-2026-38411

Name of the Vulnerable Software and Affected Versions Kubetail Dashboard versions prior to 0.14.0 Kubetail Helm Chart versions prior to 0.23.0 Kubetail CLI versions prior to 0.16.0 Description Kubetail's dashboard exposes WebSocket endpoints that do not adequately validate the Origin header durin...