22 matches found
Fedora 43 : python-django5 (2026-f140cb16b6)
The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-f140cb16b6 advisory. Fixes five low-severity CVEs - CVE-2026-6873: Signed cookie salt namespace collision - CVE-2026-7666: Potential unencrypted email transmission via...
OESA-2026-2661 python-django security update
A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header...
OESA-2026-2660 python-django security update
A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header...
OESA-2026-2659 python-django security update
A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header...
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)
internal/web/operators.go:251 — after handleOperatorCreateAPIKey mints a fresh 32-byte bearer token, the redirect points the operator's browser at: /ui/operators/?newkey=&keyname= The raw API key ends up: - in the browser's URL history - in the Referer header on every cross-origin asset the detai...
Security update for python-Django
This update for python-Django fixes the following issues CVE-2026-6873: signed cookie salt namespace collision in django.http.HttpRequest.getsignedcookie bsc1267578. CVE-2026-7666: potential unencrypted email transmission via STARTTLS in the SMTP backend bsc1267579. CVE-2026-8404: potential...
CVE-2026-6873
A flaw was found in Django. A remote attacker could exploit a non-injective salt derivation in django.http.HttpRequest.getsignedcookie by crafting specific cookie name and salt argument pairs. This vulnerability allows the attacker to use a signed cookie in a different context than intended,...
CVE-2026-6873
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.getsignedcookie in Django uses a non-injective salt derivation concatenating the cookie name and salt argument, which allows a remote attacker to use a cookie in a context different from the one wher...
CVE-2026-6873 Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.getsignedcookie in Django uses a non-injective salt derivation concatenating the cookie name and salt argument, which allows a remote attacker to use a cookie in a context different from the one wher...
EUVD-2026-34086
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.getsignedcookie in Django uses a non-injective salt derivation concatenating the cookie name and salt argument, which allows a remote attacker to use a cookie in a context different from the one wher...
CVE-2026-6873
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.getsignedcookie in Django uses a non-injective salt derivation concatenating the cookie name and salt argument, which allows a remote attacker to use a cookie in a context different from the one wher...
CVE-2026-6873 Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.getsignedcookie in Django uses a non-injective salt derivation concatenating the cookie name and salt argument, which allows a remote attacker to use a cookie in a context different from the one wher...
UBUNTU-CVE-2026-6873
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.getsignedcookie in Django uses a non-injective salt derivation concatenating the cookie name and salt argument, which allows a remote attacker to use a cookie in a context different from the one wher...
Django 安全漏洞
Django is a set of open-source web frameworks based on the Python language, developed by the Django Foundation. This framework includes an object-oriented mapper, view system, template system, etc. Versions of Django prior to 6.0.6 and 5.2.15 contained security vulnerabilities. These...
Improper Encoding or Escaping of Output
Overview AWSSDK.CloudFront is an Amazon CloudFront is a content delivery web service. It integrates with other Amazon Web Services products to give developers and businesses an easy way to distribute content to end users with low latency, high data transfer speeds, and no minimum usage commitment...
CVE-2026-27193
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...
CVE-2026-27193
Feathersjs versions ≤ 5.0.39 store all HTTP request headers in the signed but unencrypted session cookie. The complete headers object (including internal proxy/gateway headers, API keys, tokens, and internal IPs) is base64-encoded in the cookie and readable by clients, exposing sensitive infrastr...
Feathers 信息泄露漏洞
Feathers is a lightweight web framework developed by Feathers OpenSource. It is used to create APIs and real-time applications using TypeScript or JavaScript. Feathers versions 5.0.39 and earlier contained an information leakage vulnerability. This vulnerability stemmed from the fact that all HTT...
GHSA-9M9C-VPV5-9G85 Feathers exposes internal headers via unencrypted session cookie
All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session: javascript //...
CVE-2024-36511
An improperly implemented security check for standard vulnerability CWE-358 in FortiADC Web Application Firewall WAF 7.4.0 through 7.4.4, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions when cookie security policy is enabled may allow an...