CVE-2026-50202

Summary: CVE-2026-50202 affects Steeltoe libraries: Steeltoe.Security.Authentication.CloudFoundryBase < 3.4.0, Steeltoe.Security.Authentication.JwtBearer < 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect

GHSA-X426-X7CC-3FPC @hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects

Impact Wreck strips credential headers Authorization, Cookie, Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP...

EUVD-2026-29927

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect in the RedirectHandler function. An attacker can obtain sensitive information such as session cookies, proxy credentials, and API keys by inducing a cross-host or cross-scheme redirect, causing these headers to be forwarde...

Android Browser Open in New Tab Cookie Theft

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android Browser "Open in New Tab" Cookie Theft', 'Description' = %q In Android's stock AOSP Browser application and WebView component, the "open ...

SUSE CVE-2017-5096

Insufficient policy enforcement during navigation between different schemes in Google Chrome prior to 60.0.3112.78 for Android allowed a remote attacker to perform cross origin content download via a crafted HTML page, related to intents...