PT-2026-40979

Summary A vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Impact Fleet extracted client IP...

CVE-2026-34505

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling...

CVE-2026-29794

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of...

CVE-2026-22201

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTPCLIENTIP or HTTPXFORWARDEDFOR headers to spoof their IP address and circumvent...

PT-2026-3501

Name of the Vulnerable Software and Affected Versions MyTube versions prior to 1.7.71 Description MyTube is a self-hosted downloader and player for several video websites. A rate limiting bypass exists due to X-Forwarded-For header spoofing, allowing unauthenticated attackers to circumvent IP-bas...

Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

Summary An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs e.g., by collapsing multiple slashes, this can allow bypasses of disabledPaths and path-based rate limits. Details Better Auth...

GHSA-X732-6J76-QMHM Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

Summary An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs e.g., by collapsing multiple slashes, this can allow bypasses of disabledPaths and path-based rate limits. Details Better Auth...

CVE-2025-12094

The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments No CAPTCHA plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers such as CF-Connecting-IP, X-Forwarded-For,...

EUVD-2025-37313

The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments No CAPTCHA plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers such as CF-Connecting-IP, X-Forwarded-For,...

CVE-2025-56132

LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2...

CVE-2025-9376

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbotscheckwordpressloggedincookie' function in all versions up to, and including, 11.58. This...

CVE-2025-9376 Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection <= 11.58 - Insufficient Authorization to Unauthenticated Blocklist Bypass

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbotscheckwordpressloggedincookie' function in all versions up to, and including, 11.58. This...

Linux Distros Unpatched Vulnerability : CVE-2021-39899

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In all versions of GitLab CE/EE, an attacker with physical access to a user's machine may brute force the user's password via the change password function. Ther...

CVE-2025-8927

A vulnerability was determined in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality of the file /email/sendcode of the component Verification Code Handler. The manipulation of the argument email leads to improper restriction of excessive authentication attempts. The...

CVE-2025-55003

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication MFA system allows enforcing MFA using Time-based One Time Password TOTP. Due to...

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. Mattermost is vulnerable to a default configuration error that could be exploited by an attacker to bypass some existing rate limits or to use a manipulated IP for audit logging by manipulating the request header...

MediaWiki Restriction Bypass Vulnerability

MediaWiki is a free software open source wiki package written in PHP, originally used for Wikipedia, but now also used by several other projects of the non-profit Wikimedia Foundation and many other wikis. MediaWiki suffers from a limitation bypass vulnerability that stems from the '$wgRateLimits...