Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the UI server WebSocket. An attacker can gain unauthorized access to sensitive endpoints, such as streaming real-time pod logs, opening an interactive shell inside a running pod, or...

Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Summary An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in...

trying-to-make-a-website-scanner

trying-to-make-a-website-scanner Web Vulnerability Scanner —...

CVE-2026-42220

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret...

SUSE CVE-2026-42052

Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode for untrusted metadata fields. In this runtime, is raw insertion and HTML escaping is only performed by . Rendered output is then inserted with .html..., allowing...

PT-2026-37355

Name of the Vulnerable Software and Affected Versions Rancher versions prior to 2.11.13 Rancher versions prior to 2.12.9 Rancher versions prior to 2.13.5 Rancher versions prior to 2.14.1 Description A path traversal issue exists in the UI plugin mechanism. Malicious code can be injected through t...

PT-2026-38264

Name of the Vulnerable Software and Affected Versions DevSpace versions prior to 6.3.21 Description The UI server WebSocket accepts connections from all origins by default, exposing several endpoints. A malicious website visited by a developer using a browser can establish a cross-origin WebSocke...

GHSA-FW8G-CG8F-9J28 Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display

Impact In the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics e.g. via a...

GHSA-7JRR-XW9C-MJ39 Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback

Summary An authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret query parameter, causing the request to be treated as authenticated via the...

CVE-2026-42223

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag...

CVE-2026-42052

Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode for untrusted metadata fields. In this runtime, is raw insertion and HTML escaping is only performed by . Rendered output is then inserted with .html..., allowing...

Google Chrome 资源管理错误漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.96 contained a resource management vulnerability. This vulnerability stemmed from the reuse of resources after the MediaRecording function was released, which could allow remote attackers to...

Google Chrome 安全漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.96 contained a security vulnerability. This vulnerability stemmed from insufficient input validation in TabGroups, which could allow remote attackers to exploit UI deception through malicious...

PT-2026-40721

Name of the Vulnerable Software and Affected Versions Prometheus versions 2.49.0 through 3.5.2 Prometheus versions 3.11.0 through 3.11.2 Description In the legacy web UI, which is enabled via the --enable-feature=old-ui command-line flag, the histogram heatmap chart view fails to escape label...

Google Chrome 输入验证错误漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.96 contained a vulnerability related to input validation. This vulnerability stemmed from insufficient input validation by Network, which could allow a remote attacker with access to the renderer...

PT-2026-38140

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description Insufficient validation of untrusted input in the Network component allows a remote attacker who has compromised the renderer process to perform UI spoofing using a crafted HTML page...

PT-2026-38212

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description Insufficient policy enforcement in WebApp allows a remote attacker to perform UI spoofing, which is the act of mimicking a legitimate user interface to deceive users, via a crafted HTML...

PT-2026-38128

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description An inappropriate implementation in the Speech component allows a remote attacker to perform UI spoofing, which is the act of mimicking a legitimate user interface to deceive users, via ...

PT-2026-38214

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description Script injection in the UI allows a remote attacker to inject arbitrary scripts or HTML Universal Cross-Site Scripting - UXSS, which is a vulnerability that enables scripts to run acros...

PT-2026-38208

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description An inappropriate implementation in Media allows a remote attacker to perform UI spoofing, which is the act of mimicking a legitimate user interface to deceive users, via a crafted HTML...