CVE-2026-29934

A reflected cross-site scripting XSS vulnerability in the /admin/menus component of Lightcms v2.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referer value in the request header...

EUVD-2026-13111

Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the include/session.inc.php file via the referer and user-agent...

Open Redirect

Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Open Redirect in the handling of the switchAction, impersonateAction, and handle processes when redirecting users based on the HTTP Referer header. An attacker can redirec...

GHSA-9FFX-F77R-756W Sylius has an Open Redirect via Referer Header

Impact CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. Th...

EUVD-2026-10911

Sylius has an Open Redirect via Referer Header...

Sylius has an Open Redirect via Referer Header

Impact CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. Th...

CVE-2026-31819

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

CVE-2026-31819

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

CVE-2026-31819 Sylius has an Open Redirect via Referer Header

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

CVE-2026-31819 Sylius has an Open Redirect via Referer Header

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

CVE-2026-31819

Sylius (Open Source eCommerce Framework on Symfony) has a referer-based redirect issue in CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction, and StorageBasedLocaleSwitcher::handle. The vulnerability arises when a victim clicks a link on an attacker-controlled pa...

CVE-2026-31819 Sylius has an Open Redirect via Referer Header

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

Sylius 输入验证错误漏洞

Sylius is an open-source e-commerce platform developed by the Polish company Sylius, based on the Symfony framework. Sylius has a vulnerability related to input validation. This vulnerability arises from multiple controllers directly using the HTTP Referer header for redirection, which can lead t...

PT-2026-24473

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 1.9.12 Sylius versions prior to 1.10.16 Sylius versions prior to 1.11.17 Sylius versions prior to 1.12.23 Sylius versions prior to 1.13.15 Sylius versions prior to 1.14.18 Sylius versions prior to 2.0.16 Sylius version...

GHSA-4R4R-4JP4-WWF9 FUXA has JWT Authentication Bypass via HTTP Referer header spoofing

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution RCE. The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can...

Authentication Bypass Using an Alternate Path or Channel

Overview fuxa-server is a Web-based Process Visualization SCADA/HMI/Dashboard software Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via improper validation of the Referer header in the authentication process. An unauthorized attacker...

FUXA has JWT Authentication Bypass via HTTP Referer header spoofing

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution RCE. The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can...

CVE-2025-69985

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution RCE. The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can...

FUXA 安全漏洞

FUXA is a web-based process visualization software developed by frangoteam. Versions of FUXA 1.2.8 and earlier contained security vulnerabilities. These vulnerabilities stemmed from an authentication bypass mechanism. The server/api/jwt-helper.js middleware improperly trusted the HTTP Referer...

PT-2026-21744

Name of the Vulnerable Software and Affected Versions FUXA versions 1.2.8 and prior Description FUXA versions 1.2.8 and prior contain an Authentication Bypass issue that can lead to Remote Code Execution RCE. The issue resides in the server/api/jwt-helper.js middleware, which incorrectly relies o...