214 matches found
GHSA-F93W-PCJ3-RGGC Pingora vulnerable to cache poisoning via insecure-by-default cache key
Impact Pingora versions prior to 0.8.0 generated cache keys using only the URI path, excluding critical factors such as the host header. This allows an attacker to poison the cache and serve cross-origin responses to users. This vulnerability affects users of Pingora's alpha proxy caching feature...
EUVD-2026-9512
Pingora vulnerable to cache poisoning via insecure-by-default cache key...
Pingora vulnerable to cache poisoning via insecure-by-default cache key
Impact Pingora versions prior to 0.8.0 generated cache keys using only the URI path, excluding critical factors such as the host header. This allows an attacker to poison the cache and serve cross-origin responses to users. This vulnerability affects users of Pingora's alpha proxy caching feature...
Duplicate Advisory: Cache poisoning via insecure-by-default cache key
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f93w-pcj3-rggc. This link is maintained to preserve external references. Original Description A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction...
GHSA-2M8C-2374-465F Duplicate Advisory: Cache poisoning via insecure-by-default cache key
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f93w-pcj3-rggc. This link is maintained to preserve external references. Original Description A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction...
CVE-2026-2836
A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...
CVE-2026-2836
Pingora CVE-2026-2836 affects the default cache key construction in Pingora’s alpha proxy caching feature, which uses only the URI path and omits the host header (authority) and other factors. This can enable cross-tenant data leakage and cache poisoning where cached responses may be served to us...
CVE-2026-2836
A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...
CVE-2026-2836 Cache poisoning via insecure-by-default cache key
A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...
CVE-2026-2836 Cache poisoning via insecure-by-default cache key
A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...
PT-2026-23082
Name of the Vulnerable Software and Affected Versions Pingora versions prior to 0.8.0 Description A cache poisoning issue exists in the Pingora HTTP proxy framework’s default cache key construction. The default HTTP cache key implementation generates cache keys using only the URI path, excluding...
CVE-2026-27838
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...
CVE-2026-27838
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...
CVE-2026-27595
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint POST /apps/:appId/agent has multiple security vulnerabilities that, when chained, allow unauthenticated remote attackers to perform arbitrary read...
wger 安全漏洞
WGER is an open-source project developed by the WGER Team, written in Django, and serves as a self-hosted FLOSS fitness/exercise, nutrition, and weight tracking application. Versions of WGER 2.4 and earlier contained security vulnerabilities, which were caused by improper handling of cache key...
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
Impact The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. Patches The...
Improper Validation of Unsafe Equivalence in Input
Overview parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the ConfigKeyCache process. An attacker can obtain unauthorized access to sensitive master key information by exploiting cac...
CVE-2026-27610 Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only use...
CVE-2026-27610 Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only use...
CVE-2026-27610
In Parse Dashboard, versions 7.3.0-alpha.42 through 9.0.0-alpha.7 have a vulnerability where the ConfigKeyCache uses the same cache key for both the master key and the read-only master key when resolving function-typed keys. Under specific timing conditions, this can allow a read-only user to obt...