EUVD-2026-40359

SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper weed/server/common.go, with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON...

Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack

Summary The Glances XML-RPC server glances -s, implemented in glances/server.py does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 patched in 4.5.2 added TrustedHostMiddleware to the REST/WebUI server; the MCP server has had equivalent protectio...

Unity Linux 20.1060e / 20.1070e Security Update: ceph (UTSA-2026-016657)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016657 advisory. A flaw was found in the Red Hat Ceph Storage RadosGW Ceph Object Gateway in versions before 14.2.21. The vulnerability is related to the injection of HTTP headers vi...

Permissive Cross-domain Policy with Untrusted Domains

Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains in the POST /agui endpoint due to the absence of authentication and the use of a...

GHSA-5V8V-XVJV-57X7 Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...

MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)

Summary Hardcoded Wildcard CORS Access-Control-Allow-Origin: - https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.javaL289 -...

CVE-2026-33043 AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials...

EulerOS 2.0 SP11 : golang (EulerOS-SA-2025-2462)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.CVE-2025-4673 If...

Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities

Summary IBM Guardium Data Security Center has addressed these vulnerabilties with an update. Vulnerability Details CVEID:CVE-2025-4673 DESCRIPTION: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. CVSS Source: CISA A...

Linux Distros Unpatched Vulnerability : CVE-2017-20146

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, whi...

Linux Distros Unpatched Vulnerability : CVE-2020-10753

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in the Red Hat Ceph Storage RadosGW Ceph Object Gateway. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader...

PYSEC-2023-115

Sentry is an error tracking and performance monitoring platform. Starting in version 23.6.0 and prior to version 23.6.2, the Sentry API incorrectly returns the access-control-allow-credentials: true HTTP header if the Origin request header ends with the system.base-hostname option of Sentry...

PT-2021-8576 · Github.Com/Gorilla/Handlers +12 · Github.Com/Gorilla/Handlers +3

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue concerns the usage of the CORS handler, which may apply improper CORS headers. This allows the requester to explicitly control the value of th...