Lucene search
K

195 matches found

NVD
NVD
added yesterday7 views

CVE-2026-59897

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware o...

4.8CVSS
Exploits0References3
Cvelist
Cvelist
added yesterday30 views

CVE-2026-59897 Hono: API Gateway v1 adapter can drop a distinct repeated request header value during de-duplication

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware o...

4.8CVSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 3 days ago5 views

CVE-2026-4249

The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service conditio...

8.6CVSS6AI score0.00339EPSS
Exploits0References2Affected Software4
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-41871

The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service conditio...

8.6CVSS6AI score0.00339EPSS
Exploits0References1
Cvelist
Cvelist
added 3 days ago38 views

CVE-2026-4249 Denial of Service via Malicious JSON Payloads in Throttling Events in Multiple WSO2 Products Causing Persistent Service Disruption

The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service conditio...

8.6CVSS0.00339EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/19 1:10 p.m.8 views

EUVD-2026-38015

Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrad...

5.3CVSS5.9AI score0.00285EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/16 4:29 p.m.25 views

CVE-2024-38487

api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions...

7CVSS0.00081EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/16 4:29 p.m.8 views

EUVD-2024-55624

api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unintended actions...

7CVSS5.2AI score0.00081EPSS
Exploits0References1
CVE
CVE
added 2026/06/16 4:29 p.m.18 views

CVE-2024-38487

CVE-2024-38487 describes a vulnerability where an api-gateway container running with root privileges could escape the container and access the host system. Affected configuration: containerized api-gateway with root-level execution; root privileges combined with local attack vector enable host ac...

7CVSS5.3AI score0.00081EPSS
Exploits0References1
OSV
OSV
added 2026/06/16 2:32 p.m.6 views

GHSA-RV63-4MWF-QQC2 hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Summary The Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge the body is delivered fully buffered and the adapter builds the request with the client-declared...

6.5CVSS5.4AI score0.00103EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/10 6:39 a.m.7 views

CVE-2026-11815 Insecure Deserialization via MITM in Layer 7 Policy Manager

An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution...

5.3CVSS6AI score0.00317EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/12 8:20 a.m.8 views

CVE-2026-41432

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...

8.2CVSS5.9AI score0.00259EPSS
Exploits1References1
NVD
NVD
added 2026/05/08 11:16 p.m.19 views

CVE-2026-41432

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...

8.2CVSS0.00259EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/04/30 8:48 p.m.10 views

CVE-2026-6911

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...

9.8CVSS5.4AI score0.00254EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/25 4:45 p.m.39 views

CVE-2026-6987 PicoClaw Web Launcher Management Plane restart command injection

A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed o...

7.5CVSS0.03132EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/04/24 4:8 p.m.23 views

CVE-2026-6911 Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...

9.8CVSS0.00254EPSS
Exploits0References3
CVE
CVE
added 2026/04/24 4:8 p.m.23 views

CVE-2026-6911

The CVE-2026-6911 issue in AWS Ops Wheel involves missing JWT signature verification, enabling unauthenticated attackers to forge tokens and gain administrative access across tenants. The vulnerability affects the API Gateway path used by Ops Wheel, with potential read/modify/delete rights over a...

9.8CVSS5.4AI score0.00254EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/24 4:8 p.m.2 views

CVE-2026-6911 Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...

9.8CVSS5.4AI score0.00254EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.12 views

PT-2026-35027

Name of the Vulnerable Software and Affected Versions AWS Ops Wheel affected versions not specified Description Missing JWT signature verification allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application. This enables the ability to read,...

9.8CVSS5.3AI score0.00254EPSS
Exploits0References7
OSV
OSV
added 2026/03/23 7:24 p.m.5 views

CVE-2026-32879 New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAut...

4.9CVSS6.4AI score0.00289EPSS
Exploits0References3
Rows per page
Query Builder