29 matches found
CVE-2026-54003 Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation via the BalancerForward process. An attacker can manipulate upstream IP-based logic, such as rate limiting, access control, and audit logging, by injecting a spoofed X-Real-IP header value in requests. Remediation...
GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward
Summary The BalancerForward proxy helper in GoFiber uses Header.Add instead of Header.Set when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header nginx,...
GHSA-GCFQ-8GQF-4876 GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward
Summary The BalancerForward proxy helper in GoFiber uses Header.Add instead of Header.Set when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header nginx,...
PT-2026-50724
Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description An external initialization issue exists in the Kirby Panel and REST API. This occurs when a site has no configured user accounts and is hosted on a publicly accessible...
GHSA-M547-HP4W-J6JX Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers
Summary Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP. Details In the first file below, the rate-limit for unauthenticated users can be observed...
Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers
Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP...
Vikunja 安全漏洞
Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja from 0.8 to 2.2.0 contained security vulnerabilities. These vulnerabilities stemmed from a rate-limiting mechanism that relied on RealIP values. This allowed unverified users to bypass rate limits by...
CVE-2026-29054 Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to preve...
CVE-2026-29054
CVE-2026-29054 (Traefik) affects Traefik HTTP reverse proxy/load balancer from versions 2.11.9–2.11.37 and 3.1.3–3.6.8. The issue arises when Traefik processes HTTP/1.1 requests: the protection that prevents removal of Traefik-managed X-Forwarded headers via the Connection header compares tokens ...
traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)
Impact There is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port,...
Brute Force
Overview Affected versions of this package are vulnerable to Brute Force via the authentication rate limiting process. An attacker can bypass authentication rate limiting by forging the X-Real-IP header, allowing unlimited authentication attempts from a single source. Remediation Upgrade...
CVE-2026-27981
HomeBox vulnerability CVE-2026-27981 allows an attacker to bypass authentication rate limiting by spoofing client IPs via X-Real-IP and manipulating X-Forwarded-For, since the authRateLimiter reads these headers and r.RemoteAddr unconditionally, with RealIP middleware overwriting the remote addre...
CVE-2026-27981
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter authRateLimiter tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr TCP connection...
EUVD-2026-9346
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter authRateLimiter tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr TCP connection...
CVE-2026-27981 HomeBox has an Auth Rate Limit Bypass via IP Spoofing
HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter authRateLimiter tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr TCP connection...
HomeBox 安全漏洞
HomeBox is an open-source system developed by SysAdmins Media for home users. Versions of HomeBox prior to 0.24.0 contained security vulnerabilities. These vulnerabilities stemmed from the identity authentication rate limiter unconditionally reading and trusting headers like X-Real-IP, with...
RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers
Summary IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. Details - Vulnerable code: rustfs/src/auth.rs:289-304 sets...
CVE-2026-21862 RustFS sourceIp bypass via spoofed X-Forwarded-For/Real-IP headers
RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy...
CVE-2020-37056
The CVE-2020-37056 entry concerns Crystal Shard http-protection 0.2.0, where an IP-spoofing flaw allows bypass of protection middleware by crafting headers. Specifically, attackers can set consistent values in X-Forwarded-For, X-Client-IP, and X-Real-IP to defeat checks and gain unauthorized acce...