Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...

GHSA-V8J7-HP7C-738F Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...

CVE-2026-40110

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

CVE-2026-40925

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not...

CVE-2025-68930

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking CSWSH vulnerability in the /api/socket endpoint. The application fails to validate the Origin header during the WebSocket handshake. This allows a remote attacker to bypass...

CVE-2025-14279

The CVE details a DNS rebinding vulnerability in MLflow up to version 3.4.0 caused by lack of Origin header validation in the MLflow REST server. The issue allows an attacker to bypass Same-Origin Policy and issue unauthorized requests to REST endpoints, enabling querying, updating, and deleting ...

MLflow 访问控制错误漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. An Access Control Error vulnerability exists in MLflow 3.4.0 and prior versions, which stems from a la...

Exposed Dangerous Method or Function

Overview playwright is an A high-level API to automate web browsers Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via missing validation of the Origin header on incoming connections. An attacker can gain unauthorized access to locally running endpoints b...

CVE-2025-9611

Microsoft Playwright MCP Server prior to version 0.0.40 is vulnerable due to missing Origin header validation, enabling DNS rebinding attacks that can trigger unauthorized requests to locally running MCP tool endpoints. Affected software: MCP Server versions

Cross-Origin Resource Sharing (CORS) Misconfiguration

@strapi/core is vulnerable to Cross-Origin Resource Sharing CORS Misconfiguration. The vulnerability is due to improper validation of the Origin header in default configurations, which allows an attacker to exploit this by hosting a malicious site on a different origin and sending credentialed...

EUVD-2018-18398

Malware in sbrugna...

Cross-site WebSocket Hijacking

webpack-dev-server is vulnerable to Cross-site WebSocket hijacking. The vulnerability is due to improper Origin header validation, which permits IP address origins, allows attackers to hijack WebSocket connections and steal source code via malicious websites...

CVE-2023-7080

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary cod...

[SECURITY] [DLA 4151-1] golang-github-gorilla-csrf security update

-------------------------------------------------------------------------- Debian LTS Advisory DLA-4151-1 [email protected] https://www.debian.org/lts/security/ Andrej Shadura May 01, 2025 https://wiki.debian.org/LTS -...

CVE-2024-7819

A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...

CVE-2024-7819

A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...

CVE-2024-7819 CORS Misconfiguration in danswer-ai/danswer

A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...

CVE-2024-7819

A CVE-2024-7819 entry concerns danswer-ai/danswer v1.4.1. The vulnerability is a CORS misconfiguration caused by improper validation of the origin header, enabling malicious web pages to issue unauthorized requests to the application's API and potentially disclose sensitive data (e.g., chat conte...

CVE-2018-15402

Cisco Enterprise NFV Infrastructure Software (NFVIS) contains a CSRF vulnerability (CVE-2018-15402) arising from improper Origin header validation in the management HTTP interface. An unauthenticated, remote attacker can lure a user to a malicious page to perform actions with the user’s privilege...

Design/Logic Flaw

In the uncurlwsaccept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation accepting an arbitrary substring match for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full...