28 matches found
EUVD-2026-34143
Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...
CVE-2026-42283 DevSpace UI Server WebSocket CheckOrigin does not validate source
DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the...
WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
Summary objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check Origin/Referer. Because AVideo intentionally sets...
EUVD-2026-13766
mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled MCPHTTPENABLED=true, the application configures FastAPI's CORSMiddleware with alloworigins='', allowcredentials=True, allowmethods="", and allowheaders="". The...
PT-2026-7613
Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener'message', ... handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on...
EUVD-2016-5661
Malware in sbrugna...
EUVD-2017-0359
Malware in sbrugna...
EUVD-2018-4332
Malware in sbrugna...
EUVD-2019-3432
Malware in sbrugna...
EUVD-2023-29648
Malicious code in bioql PyPI...
RockyLinux 8 : python3.12-urllib3 (RLSA-2024:8842)
The remote RockyLinux 8 host has a package installed that is affected by a vulnerability as referenced in the RLSA-2024:8842 advisory. urllib3: proxy-authorization request header is not stripped during cross-origin redirects CVE-2024-37891 Tenable has extracted the preceding description block...
OESA-2024-2319 firefox security update
Mozilla Firefox is a standalone web browser, designed for standards compliance and performance. Its functionality can be enhanced via a plethora of extensions. Security Fixes: A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability...
CVE-2022-31151 Uncleared cookies on cross-host/cross-origin redirect in undici
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...
CVE-2021-38009
Inappropriate implementation in cache in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page...
Design/Logic Flaw
Inappropriate implementation in storage in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page...
CVE-2021-23973
CVE-2021-23973 describes a cross-origin loading issue in audio/video contexts where a decoding error could leak information about the resource. Affected software: Firefox versions older than 86, Thunderbird older than 78.8, and Firefox ESR older than 78.8. Public-facing details confirm this vulne...
CVE-2016-4676
A Cross-origin vulnerability exists in WebKit in Apple Safari before 10.0.1 when processing location attributes, which could let a remote malicious user obtain sensitive information...
CVE-2016-4676
A Cross-origin vulnerability exists in WebKit in Apple Safari before 10.0.1 when processing location attributes, which could let a remote malicious user obtain sensitive information...
CVE-2016-4676
A Cross-origin vulnerability exists in WebKit in Apple Safari before 10.0.1 when processing location attributes, which could let a remote malicious user obtain sensitive information...
CVE-2016-4676
CVE-2016-4676 : A cross-origin vulnerability in WebKit used by Apple Safari prior to 10.0.1 occurs when processing location attributes, allowing a remote attacker to obtain sensitive information. The NVD entry assigns a CVSS v3.1 base score of 7.5 (HIGH) with network attack and no user interactio...