CVE-2026-54290

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make...

hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Summary With credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints...

PT-2026-44473

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS CORS ALLOWED ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true a...

Exploit for Improper Neutralization of Line Delimiters in Cacti

CVE-2025-24367-WebShell Exploit He creado este pequeño script...

PT-2026-34202

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This...

SUSE CVE-2026-32610

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets alloworigins="" combined with allowcredentials=True. When both of these options are enabled together, Starlette's CORSMiddlewa...

CVE-2026-32610

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets alloworigins="" combined with allowcredentials=True. When both of these options are enabled together, Starlette's CORSMiddlewa...

Linux Distros Unpatched Vulnerability : CVE-2026-32610

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration...

CVE-2026-25817

HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have improper neutralization of special elements used in an OS command allowing remote code execution by attackers with low privilege access on the gateway,...

CVE-2026-28677

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote URLs with incomplete destination restrictions. Although private/local host checks existed, missing...

Exploit for CVE-2026-27579

Appwrite CORS Misconfiguration Exploit PoC CVE-2026-27579...

CVE-2025-58428

The TLS4B ATG system's SOAP-based interface is vulnerable due to its accessibility through the web services handler. This vulnerability enables remote attackers with valid credentials to execute system-level commands on the underlying Linux system. This could allow the attacker to achieve remote...

CVE-2025-58778

Multiple versions of RG-EST300 provided by Ruijie Networks provide SSH server functionality. It is not documented in the manual, and enabled in the initial configuration. Anyone with the knowledge of the related credentials can log in to the affected device, leading to information disclosure,...

Missing Authorization

Overview org.jenkins-ci.plugins:vmanager-plugin is a Jenkins plugin that Integrates Jenkins to Cadence vManager. Affected versions of this package are vulnerable to Missing Authorization. An attacker with Overall/Read permission can connect to an attacker-specified URL using attacker-specified...

CVE-2022-44794

An issue was discovered in Object First Ootbi BETA build 1.0.7.712. Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command that sets the hostname doesn't validate input parameters. As a result, arbitrary data goes directly to...

Jenkins JiraTestResultReporter Plugin 跨站请求伪造漏洞

Jenkins is an application. An open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier versions are vulnerable to cross-site request forgery, which stems from a...

CVE-2021-40067

The access controls on the Mobility read-write API improperly validate user access permissions; this API is disabled by default. If the API is manually enabled, attackers with both network access to the API and valid credentials can read and write data to it; regardless of access control group...

CVE-2021-1519

A vulnerability in the interprocess communication IPC channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to overwrite VPN profiles on an affected device. The vulnerability is due to insufficient validation of user-supplied input. An attacker...

CVE-2020-5793

A vulnerability in Nessus versions 8.9.0 through 8.12.0 for Windows & Nessus Agent 8.0.0 and 8.1.0 for Windows could allow an authenticated local attacker to copy user-supplied files to a specially constructed path in a specifically named user directory. An attacker could exploit this vulnerabili...

CVE-2019-13919

A vulnerability has been identified in SINEMA Remote Connect Server All versions V2.0 SP1. Some pages that should only be accessible by a privileged user can also be accessed by a non-privileged user. The security vulnerability could be exploited by an attacker with network access and valid...