5295 matches found
CVE-2026-33002
Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...
CVE-2026-33002
Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...
CVE-2026-33002
Summary: CVE-2026-33002 affects Jenkins WebSocket CLI origin validation. The vulnerability arises from computing the expected origin using the Host or X-Forwarded-Host headers, enabling potential DNS rebinding to bypass origin validation. Affected versions include Jenkins 2.442–2.554 and LTS 2.42...
CVE-2026-33002
Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...
SUSE-SU-2026:20902-1 Security update for libsoup
This update for libsoup fixes the following issues: Update to libsoup 3.6.6: - CVE-2025-12105: heap use-after-free in message queue handling during HTTP/2 read completion bsc1252555. - CVE-2025-14523: Duplicate Host Header Handling Causes Host-Parsing Discrepancy bsc1254876. - CVE-2025-32049:...
SUSE-SU-2026:20752-1 Security update for libsoup
This update for libsoup fixes the following issues: Update to libsoup 3.6.6: - CVE-2025-12105: heap use-after-free in message queue handling during HTTP/2 read completion bsc1252555. - CVE-2025-14523: Duplicate Host Header Handling Causes Host-Parsing Discrepancy bsc1254876. - CVE-2025-32049:...
OPENSUSE-SU-2026:20384-1 Security update for libsoup
This update for libsoup fixes the following issues: Update to libsoup 3.6.6: - CVE-2025-12105: heap use-after-free in message queue handling during HTTP/2 read completion bsc1252555. - CVE-2025-14523: Duplicate Host Header Handling Causes Host-Parsing Discrepancy bsc1254876. - CVE-2025-32049:...
CVE-2026-27977
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing...
PT-2026-26074
Name of the Vulnerable Software and Affected Versions Jenkins versions 2.442 through 2.554 Jenkins LTS versions 2.426.3 through 2.541.2 Description The software does not properly validate the origin of requests made through the CLI WebSocket endpoint. It calculates the expected origin using the...
Jenkins LTS < 2.541.3 / Jenkins weekly < 2.555 Multiple Vulnerabilities
According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.541.3 or Jenkins weekly prior to 2.555. It is, therefore, affected by multiple vulnerabilities: - Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LT...
Jenkins 安全漏洞
Jenkins is an open-source application developed by Jenkins Project. The open-source automation server Jenkins offers hundreds of plugins to support building, deploying, and automating any project. Jenkins versions 2.554 and earlier, as well as LTS 2.541.2 and earlier, have security vulnerabilitie...
PT-2026-26211
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2 Description SiYuan is a personal knowledge management system. The kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incomin...
jenkins -- multiple vulnerabilities
Jenkins Security Advisory 2026-03-18: SECURITY-3657 / CVE-2026-33001: Arbitrary file write vulnerability through specially crafted archives in Jenkins High SECURITY-3674 / CVE-2026-33002: DNS rebinding vulnerability in WebSocket CLI origin validation in Jenkins High...
ruby4.0-rubygem-websocket-extensions-0.1.5-1.24 on GA media (moderate)
ruby4.0-rubygem-websocket-extensions-0.1.5-1.24 on GA media Announcement ID: openSUSE-SU-2026:10368-1 Rating: moderate Cross-References: CVE-2020-7663 CVSS scores: CVE-2020-7663 SUSE : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Affected Products: openSUSE Tumbleweed An update that solves on...
CVE-2026-27977 Next.js: null origin can bypass dev HMR websocket CSRF checks
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing...
CVE-2026-27977
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing...
CVE-2026-27977 Next.js: null origin can bypass dev HMR websocket CSRF checks
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing...
CVE-2026-27977
CVE-2026-27977 affects the Next.js development server. The vulnerability lies in the Next.js dev mode where cross-site protection for internal HMR websocket endpoints could treat Origin: null as a permitted bypass even when allowedDevOrigins is configured, allowing privacy-sensitive contexts (e.g...
CVE-2026-27977 Next.js: null origin can bypass dev HMR websocket CSRF checks
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing...
EUVD-2026-12683
Next.js: null origin can bypass dev HMR websocket CSRF checks...