Lucene search
K

178 matches found

CNNVD
CNNVD
added 2026/04/10 12:0 a.m.10 views

CPython 安全漏洞

CPython is a Python interpreter implemented in C language by the Python Foundation. CPython has security vulnerabilities, which stem from HTTP client proxy tunnel headers or hosts not rejecting CR/LF bytes...

5.7CVSS7.3AI score0.00562EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/20 12:0 a.m.11 views

ewe 安全漏洞

ewe is a lightweight web server build package developed by Vladislav Shakitskiy. Versions of ewe 3.0.4 and earlier contained security vulnerabilities, which stemmed from improper handling of the chunk transfer encoding at the end of the transmission. These vulnerabilities could lead to...

5.3CVSS5.8AI score0.00386EPSS
Exploits1References4
OSV
OSV
added 2026/03/16 8:49 p.m.10 views

GHSA-9W88-79F8-M3VP Permissive List of Allowed Inputs in ewe

Summary ewe's chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. Security-sensitive headers like authorization, cookie, and x-forwarded-for can be injected or overwritten by a malicious client...

5.3CVSS5.8AI score0.00386EPSS
Exploits1References6
NVD
NVD
added 2026/03/13 7:54 p.m.10 views

CVE-2026-22199

Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can...

8.7CVSS0.00976EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/13 1:18 a.m.4 views

CVE-2026-22199 Voltronic Power SNMP Web Pro 1.1 Path Traversal via upload.cgi

Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can...

8.7CVSS5.8AI score0.00976EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/13 12:0 a.m.11 views

PT-2026-25140

Name of the Vulnerable Software and Affected Versions wpDiscuz versions prior to 7.6.47 Description The software contains a flaw that allows manipulation of comment votes. Attackers can obtain fresh nonces and bypass rate limiting by using client-controlled headers. Specifically, attackers can...

8.7CVSS5.4AI score0.00976EPSS
Exploits0References12
ATTACKERKB
ATTACKERKB
added 2026/03/12 9:22 p.m.3 views

CVE-2026-32302

OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...

8.1CVSS5.8AI score0.00153EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/03/12 9:22 p.m.24 views

CVE-2026-32302

CVE-2026-32302 affects OpenClaw. In versions before 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode = trusted-proxy and the request carried proxy headers, allowing an untrusted-origin page to connect through a trusted reverse proxy and obt...

8.1CVSS5.8AI score0.00153EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.6 views

PT-2026-25083

Summary In affected versions of openclaw, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inher...

8.1CVSS5.7AI score0.00153EPSS
Exploits0References14
RedhatCVE
RedhatCVE
added 2026/02/22 7:24 a.m.9 views

CVE-2026-27193

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

8.2CVSS5.5AI score0.00354EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/21 4:9 a.m.4 views

CVE-2026-27193

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

8.2CVSS5.5AI score0.00354EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/02/10 8:50 a.m.6 views

BIT-NGINX-INGRESS-CONTROLLER-2025-15566 ingress-nginx auth-proxy-set-headers nginx configuration injection

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/auth-proxy-set-headers Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets...

8.8CVSS6.4AI score0.00469EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/02/06 3:13 a.m.6 views

CVE-2025-15566

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/auth-proxy-set-headers Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets...

8.8CVSS6.3AI score0.00469EPSS
Exploits0References2
CVE
CVE
added 2026/02/06 3:13 a.m.26 views

CVE-2025-15566

CVE-2025-15566 affects ingress-nginx via the auth-proxy-set-headers annotation that can inject configuration into nginx, enabling arbitrary code execution in the ingress-nginx controller and disclosure of Secrets accessible cluster-wide. Connected sources confirm the vulnerability lies in the ann...

8.8CVSS6.3AI score0.00469EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/06 3:13 a.m.32 views

CVE-2025-15566 ingress-nginx auth-proxy-set-headers nginx configuration injection

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/auth-proxy-set-headers Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets...

8.8CVSS0.00469EPSS
Exploits0References1
OSV
OSV
added 2026/02/06 3:13 a.m.6 views

CVE-2025-15566 ingress-nginx auth-proxy-set-headers nginx configuration injection

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/auth-proxy-set-headers Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets...

8.8CVSS7.7AI score0.00469EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/02/06 3:13 a.m.2 views

CVE-2025-15566 ingress-nginx auth-proxy-set-headers nginx configuration injection

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/auth-proxy-set-headers Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets...

8.8CVSS6.3AI score0.00469EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/01/13 12:0 a.m.3 views

MiracleLinux 8 : python39:3.9 (AXSA:2025-9939:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-9939:01 advisory. modwsgi: Trusted Proxy Headers Removing Bypass CVE-2022-2255 Tenable has extracted the preceding description block directly from the MiracleLinux security...

7.5CVSS7.3AI score0.0069EPSS
Exploits1References2
IBM Security Bulletins
IBM Security Bulletins
added 2026/01/08 4:47 p.m.10 views

Security Bulletin: Multiple vulnerabilities in IBM Aspera Console

Summary Multiple vulnerabilities were addressed in IBM Aspera Console version 3.4.8. Vulnerability Details CVEID:CVE-2025-61780 DESCRIPTION: Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in...

7.5CVSS6.4AI score0.00868EPSS
Exploits0Affected Software5
NVD
NVD
added 2026/01/08 2:15 a.m.14 views

CVE-2026-21881

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSEPROXYAUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a...

9.1CVSS0.00433EPSS
Exploits2References3
Rows per page
Query Builder