CVE-2026-44183 Cleanuparr: X-Forwarded-For leftmost parsing allows remote unauthenticated admin takeover when reverse-proxy mode is enabled

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entr...

CVE-2026-44183

CVE-2026-44183 affects Cleanuparr prior to 2.9.10. The vulnerability arises because TrustedNetworkAuthenticationHandler.ResolveClientIp uses the leftmost entry of the X-Forwarded-For header as the client IP, which is attacker-controlled since X-Forwarded-For is append-only. An unauthenticated rem...

CVE-2026-44183 Cleanuparr: X-Forwarded-For leftmost parsing allows remote unauthenticated admin takeover when reverse-proxy mode is enabled

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entr...

PT-2024-24094 · Openstack · Ironic-Image

Name of the Vulnerable Software and Affected Versions: Ironic-image versions prior to 24.1.1 Description: The issue affects Ironic-image, an OpenStack Ironic deployment packaged and configured by Metal3, when the reverse proxy mode is enabled by setting the IRONIC REVERSE PROXY SETUP variable to...