27 matches found
Dot-only cookie domains match all hosts
Impact CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the...
Permissive Cross-domain Policy with Untrusted Domains
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains in the CORS middleware. An attacker can access sensitive information and perform unauthorized actions by sending cross-origin request...
EUVD-2026-32999
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFSCORSALLOWEDORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and...
Improper Verification of Source of a Communication Channel
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via the JavascriptInterface bridge in WebView when processing pages from untrusted origins. An attacker can execute arbitrary co...
GHSA-CXMW-P77Q-WCHG OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface
Summary Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
Permissive Cross-domain Policy with Untrusted Domains
Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via a misconfigured CORS policy that reflects arbitrary origins and allows credentials. An attacker can gain unauthorized access to sensitive data and perform actions on behalf of...
Permissive Cross-domain Policy with Untrusted Domains
Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via a misconfigured CORS policy that reflects arbitrary origins and allows credentials. An attacker can gain unauthorized access to sensitive data and perform actions on behalf of...
Permissive Cross-domain Policy with Untrusted Domains
Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via a misconfigured CORS policy that reflects arbitrary origins and allows credentials. An attacker can gain unauthorized access to sensitive data and perform actions on behalf of...
CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode
OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...
CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode
OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...
CVE-2026-32302
CVE-2026-32302 affects OpenClaw. In versions before 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode = trusted-proxy and the request carried proxy headers, allowing an untrusted-origin page to connect through a trusted reverse proxy and obt...
CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode
OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...
EUVD-2026-11717
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode...
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode
Summary In affected versions of openclaw, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inher...
CVE-2026-2345
Technical details about CVE-2026-2345 are not publicly available in the provided documents. Monitor for updates from Red Hat/NVD/CVE listings for affected products, impact, and remediation specifics.
Litestar's CORS origin allowlist has a bypass due to unescaped regex metacharacters in allowed origins
Summary CORS origin validation can be bypassed because the allowed-origins allowlist is compiled into a regex without escaping metacharacters notably .. An allowed origin like https://good.example can match https://goodXexample, resulting in Access-Control-Allow-Origin being set for an untrusted...
EUVD-2025-7022
Malicious code in bioql PyPI...
PT-2024-26386 · Tauri · Tauri
Name of the Vulnerable Software and Affected Versions: Tauri versions prior to 1.6.7 Tauri versions prior to 2.0.0-beta.19 Description: The issue allows remote origin iFrames in Tauri applications to access the Tauri IPC endpoints without being explicitly allowed. This bypasses the origin check a...
GO-2024-2813 Some CORS middleware allow untrusted origins in github.com/jub0bs/cors
Some CORS middleware more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patter...
GO-2024-2812 Some CORS middleware allow untrusted origins in github.com/jub0bs/fcors
Some CORS middleware more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patter...