EUVD-2026-16664

The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication 'getcurrentactiveuser' without any privilege checks e.g., 'issuperuser'...

User Impersonation

Overview github.com/traefik/traefik/v2/pkg/middlewares/auth is a Cloud Native Application Proxy. Affected versions of this package are vulnerable to User Impersonation through the basicAuth and digestAuth middleware headerField handling in pkg/middlewares/auth/basicauth.go and...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation through the basicAuth and digestAuth middleware headerField handling in pkg/middlewares/auth/basicauth.go and pkg/middlewares/auth/digestauth.go. An attacker can impersonate an arbitrary user identity to backend...

CVE-2026-5025

The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication 'getcurrentactiveuser' without any privilege checks e.g., 'issuperuser'...

CVE-2026-4984 Botpress - Credential Disclosure via Twilio Webhook Handler

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

CVE-2026-33433 Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when headerField is configured with a non-canonical HTTP header name e.g., x-auth-user instead of X-Auth-User, an authenticated attacker can inject their own canonical version of that header to...

CVE-2026-33745

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects 301/302/307/308. A malicious or...

CVE-2026-33745 cpp-httplib Client Leaks Authentication Credentials to Untrusted Hosts on Cross-Origin HTTP Redirect

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects 301/302/307/308. A malicious or...

CVE-2026-33745 cpp-httplib Client Leaks Authentication Credentials to Untrusted Hosts on Cross-Origin HTTP Redirect

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects 301/302/307/308. A malicious or...

CVE-2026-33745 cpp-httplib Client Leaks Authentication Credentials to Untrusted Hosts on Cross-Origin HTTP Redirect

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects 301/302/307/308. A malicious or...

CVE-2026-33745

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects 301/302/307/308. A malicious or...

Langflow 安全漏洞

Langflow is an open-source visualization framework developed by Langflow for building multi-agent and RAG applications. Langflow has a security vulnerability, which stems from endpoints/logs and/logs-stream in the logging router requiring only basic authentication without privilege checks. This...

PT-2026-28274

In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NO PERMISSIONS on the experiment, to read trace information and create assessments for...

PT-2026-28482

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.42 Traefik versions prior to 3.6.12 Traefik versions prior to 3.7.0-ea.3 Description Traefik, an HTTP reverse proxy and load balancer, is susceptible to an identity impersonation issue. When the headerField...

Information Exposure

Overview @apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al. Affected versions of this package are vulnerable to Information Exposure in the request handling process. An attacker can infer...

GO-2026-4846 Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports...

CVE-2026-33152

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...

EUVD-2026-16315

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...

CVE-2026-33152 Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...

CVE-2026-33152 Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...