86 matches found
CVE-2024-8026
A Cross-Site Request Forgery CSRF vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating,...
CVE-2024-8026
A Cross-Site Request Forgery CSRF vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating,...
CVE-2024-8026
A Cross-Site Request Forgery CSRF vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating,...
CVE-2024-8026 CSRF due to overly permissive CORS headers in netease-youdao/qanything
A Cross-Site Request Forgery CSRF vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating,...
CVE-2024-8026
CVE-2024-8026 concerns a CSRF flaw in the backend API of netease-youdao/qanything caused by overly permissive CORS headers that allow all cross-origin requests. The vulnerability reportedly affects all backend endpoints, enabling actions such as creating, uploading, listing, deleting files, and m...
CVE-2024-8026 CSRF due to overly permissive CORS headers in netease-youdao/qanything
A Cross-Site Request Forgery CSRF vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating,...
Umbraco 安全漏洞
Umbraco is an open source content management system CMS written in C from Umbraco, Denmark. A security vulnerability exists in Umbraco version 10.8.9 and prior to version 13.7.1, which stems from manipulation of backend API URLs that could result in the retrieval or deletion of content or media t...
CVE-2025-27518 Cognita CORS misconfiguration in backend API server
Cognita is a RAG Retrieval Augmented Generation Framework for building modular, open source applications for production by TrueFoundry. An insecure CORS configuration in the Cognita backend server allows arbitrary websites to send cross site requests to the application. This vulnerability is fixe...
CVE-2025-27518 Cognita CORS misconfiguration in backend API server
Cognita is a RAG Retrieval Augmented Generation Framework for building modular, open source applications for production by TrueFoundry. An insecure CORS configuration in the Cognita backend server allows arbitrary websites to send cross site requests to the application. This vulnerability is fixe...
PT-2025-6920 · Unknown · Filemegane
Name of the Vulnerable Software and Affected Versions: FileMegane versions 3.0.0.0 through 3.4.0.0 Description: The issue exists due to a Server-Side Request Forgery SSRF vulnerability. This could allow executing arbitrary backend Web API requests, potentially leading to rebooting the services...
CVE-2024-5714
In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with...
CVE-2024-5714
In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with...
CVE-2024-5714
In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with...
CVE-2024-5714 Improper Access Control in lunary-ai/lunary
In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with...
CVE-2024-5714 Improper Access Control in lunary-ai/lunary
In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with...
Malicious code in @b2bgeo/backend-api-types (npm)
--- -= Per source details. Do not edit below this line.=-...
MAL-2024-1806 Malicious code in @b2bgeo/backend-api-types (npm)
--- -= Per source details. Do not edit below this line.=-...
Sensitive Information Disclosure
@lobehub/chat is vulnerable to Sensitive Information Disclosure. The vulnerability is due to insecure handling of the base URL in the frontend, allowing an attacker to modify it to their own attack URL. The attacker can then set up a server-side request to obtain the real backend API key...
CVE-2024-37895
CVE-2024-37895 affects Lobe Chat, an open-source LLM/AI chat framework. In affected versions, if an attacker can authenticate via SSO/Access Code, they can modify the frontend base URL to point to a malicious attack URL and trigger a server-side request, enabling retrieval of the real backend API...
Lobe Chat Security Vulnerability
Lobe Chat is an open source, high performance chatbot framework. A security vulnerability exists in Lobe Chat versions prior to 0.162.25, which stems from the fact that if an attacker is able to successfully authenticate via SSO/Access Code, they can obtain the real back-end API key by modifying...