1026 matches found
EUVD-2026-40374
Nightingale n9e before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege Standard role user through POST /api/n9e/datasource/list. The route is...
PT-2026-52587
Name of the Vulnerable Software and Affected Versions wolfSSL versions prior to 5.9.1 Description A heap buffer overflow occurs in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The issue stems from an integer truncation when calculating the length of the ACK...
Node.js 22.x < 22.23.0 / 24.x < 24.17.0 / 26.x < 26.3.1 Multiple Vulnerabilities (Thursday, June 18, 2026 Security Releases).
The version of Node.js installed on the remote host is prior to 22.23.0, 24.17.0, or 26.3.1. It is, therefore, affected by multiple vulnerabilities as referenced in the Thursday, June 18, 2026 Security Releases advisory. - A flaw in Node.js WebCrypto implementation can crash the process if the...
CVE-2026-48491
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection SNICheck that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard...
UBUNTU-CVE-2026-45692
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different...
Oracle Linux 9 : unbound (ELSA-2026-18931)
The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-18931 advisory. 1.24.2-2 - Switch TLS configuration to follow TLS sockets by crypto-policy again RHEL-147860 - Change the default of tls-use-system-policy-versions at...
Improper Verification of Cryptographic Signature
Overview CoreWCF.Primitives is a port of the service side of Windows Communication Foundation WCF to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in...
Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15, Linux-6.1
A memory write flaw that is outside the bounds of the system’s security was discovered in the Linux kernel’s Transport Layer Security functionality. This flaw allows a local user to cause a crash or potentially escalate their privileges on the system...
Astra Linux – Vulnerability in Firefox and Thunderbird
In specific HSTS configurations, an attacker could bypass HSTS on a subdomain. This vulnerability affects Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7...
Astra Linux – Vulnerability in qtbase-opensource-src
A issue was discovered in Qt before version 5.15.14, in versions 6.x before 6.2.9, and in versions 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security HSTS header, allowing unencrypted connections to be established, even when such connections are explicit...
Astra Linux – Vulnerability in Erlang
In Erlang/OTP versions prior to 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there was a situation where Client Authentication Bypass occurred in certain client-certification scenarios for SSL, TLS, and DTLS...
Astra Linux – Vulnerability in Firefox
When network partitioning was enabled, for example as a result of Enhanced Tracking Protection settings, a TLS error page allowed users to override an error on a domain that had specified HTTP Strict Transport Security. This means that the error should not be overwritten. This issue did not affec...
GHSA-GFJ5-979R-92PW @acastellon/auth: Authentication bypass via spoofable headers in validateToken()
@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get'host'.startsWithgetHostName. Both...
PT-2026-48816
Name of the Vulnerable Software and Affected Versions Idira Privilege Cloud Connector versions prior to 1.1.100504 Description Under specific conditions and configuration scenarios, TLS certificate validation may not be fully enforced, potentially leading to a security bypass. TLS Transport Layer...
CVE-2026-53475
CVE-2026-53475 affects the assisted-migration-agent. The component hardcodes insecure TLS connections when communicating with vCenter, enabling a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials, potentially granting unauthorized access to vCenter. The ...
VMware Spring AMQP 信任管理问题漏洞
VMware Spring AMQP is a message queue integration framework developed by VMware, Inc. There is a vulnerability related to trust management in VMware Spring AMQP. This vulnerability arises when configuring a proxy connection using RabbitConnectionFactoryBean.setUriamqps://…, without calling...
PT-2026-48448
A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security TLS connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle MITM attacker to intercept and harvest vCenter administrator credentials. This can lead to...
GHSA-W7W5-5GCP-38RW nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)
None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase. Impact The admin UI signs CA...
nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)
None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase. Impact The admin UI signs CA...
PT-2026-47583
None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase. Impact The admin UI signs CA...