Lucene search
K

27 matches found

Friends Of PHP
Friends Of PHP
added 2026/06/18 2:12 p.m.9 views

Dot-only cookie domains match all hosts

Impact CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the...

5.8CVSS5.9AI score0.00111EPSS
Exploits0Affected Software1
Snyk
Snyk
added 2026/06/16 2:15 p.m.9 views

Permissive Cross-domain Policy with Untrusted Domains

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains in the CORS middleware. An attacker can access sensitive information and perform unauthorized actions by sending cross-origin request...

7.1CVSS6AI score0.00248EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/28 6:41 p.m.13 views

EUVD-2026-32999

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFSCORSALLOWEDORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and...

6CVSS5.8AI score0.00108EPSS
Exploits0References1
Snyk
Snyk
added 2026/03/26 7:30 p.m.6 views

Improper Verification of Source of a Communication Channel

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via the JavascriptInterface bridge in WebView when processing pages from untrusted origins. An attacker can execute arbitrary co...

8.8CVSS6.2AI score0.00368EPSS
Exploits0References3
OSV
OSV
added 2026/03/26 7:30 p.m.9 views

GHSA-CXMW-P77Q-WCHG OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

Summary Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

8.8CVSS5.8AI score0.00368EPSS
Exploits0References6
Snyk
Snyk
added 2026/03/19 4:28 p.m.5 views

Permissive Cross-domain Policy with Untrusted Domains

Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via a misconfigured CORS policy that reflects arbitrary origins and allows credentials. An attacker can gain unauthorized access to sensitive data and perform actions on behalf of...

9.6CVSS6AI score0.00257EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/19 4:28 p.m.2 views

Permissive Cross-domain Policy with Untrusted Domains

Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via a misconfigured CORS policy that reflects arbitrary origins and allows credentials. An attacker can gain unauthorized access to sensitive data and perform actions on behalf of...

9.6CVSS6AI score0.00257EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/19 4:28 p.m.4 views

Permissive Cross-domain Policy with Untrusted Domains

Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via a misconfigured CORS policy that reflects arbitrary origins and allows credentials. An attacker can gain unauthorized access to sensitive data and perform actions on behalf of...

9.6CVSS6AI score0.00257EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/12 9:22 p.m.2 views

CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode

OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...

8.1CVSS5.8AI score0.00153EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/12 9:22 p.m.49 views

CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode

OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...

8.1CVSS0.00153EPSS
Exploits0References3
CVE
CVE
added 2026/03/12 9:22 p.m.26 views

CVE-2026-32302

CVE-2026-32302 affects OpenClaw. In versions before 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode = trusted-proxy and the request carried proxy headers, allowing an untrusted-origin page to connect through a trusted reverse proxy and obt...

8.1CVSS5.8AI score0.00153EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/12 9:22 p.m.5 views

CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode

OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...

8.1CVSS5.8AI score0.00153EPSS
Exploits0References5
EUVD
EUVD
added 2026/03/12 8:32 p.m.3 views

EUVD-2026-11717

OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode...

8.1CVSS5.8AI score0.00153EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/12 8:32 p.m.18 views

OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode

Summary In affected versions of openclaw, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inher...

8.1CVSS5.8AI score0.00153EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/02/11 2:49 p.m.17 views

CVE-2026-2345

Technical details about CVE-2026-2345 are not publicly available in the provided documents. Monitor for updates from Red Hat/NVD/CVE listings for affected products, impact, and remediation specifics.

3.6CVSS5.5AI score0.00064EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/02/09 5:18 p.m.10 views

Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins

Summary CORS origin validation can be bypassed because the allowed-origins allowlist is compiled into a regex without escaping metacharacters notably .. An allowed origin like https://good.example can match https://goodXexample, resulting in Access-Control-Allow-Origin being set for an untrusted...

7.4CVSS5.4AI score0.00383EPSS
Exploits1References6Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-7022

Malicious code in bioql PyPI...

7.4CVSS7.5AI score0.00283EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2024/05/23 12:0 a.m.8 views

PT-2024-26386 · Tauri · Tauri

Name of the Vulnerable Software and Affected Versions: Tauri versions prior to 1.6.7 Tauri versions prior to 2.0.0-beta.19 Description: The issue allows remote origin iFrames in Tauri applications to access the Tauri IPC endpoints without being explicitly allowed. This bypasses the origin check a...

5.9CVSS7.6AI score0.00349EPSS
Exploits0References7
OSV
OSV
added 2024/05/21 3:8 p.m.18 views

GO-2024-2813 Some CORS middleware allow untrusted origins in github.com/jub0bs/cors

Some CORS middleware more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patter...

7AI score
Exploits0References2
OSV
OSV
added 2024/05/21 3:8 p.m.15 views

GO-2024-2812 Some CORS middleware allow untrusted origins in github.com/jub0bs/fcors

Some CORS middleware more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patter...

7AI score
Exploits0References2
Rows per page
Query Builder