57 matches found
Splunk Enterprise 输入验证错误漏洞
Splunk Cloud Platform and Splunk Enterprise are both products of the American company Splunk. Splunk Cloud Platform is a powerful service for data collection, processing, and analysis. Splunk Enterprise is a suite of software for data collection and analysis. There is an input validation...
Splunk Enterprise 服务端请求伪造漏洞
Splunk Cloud Platform and Splunk Enterprise are both products of the American company Splunk. Splunk Cloud Platform is a powerful service for data collection, processing, and analysis. Splunk Enterprise is a suite of software for data collection and analysis. There are code vulnerabilities in...
CVE-2026-45108
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant DAG flow that allowed a user within the same Entra ID domain to obtain a local Unix...
Hackney 安全漏洞
Hackney is a program library from Hackney, Inc. A security vulnerability exists in hackney versions prior to 3.1.1 through 4.0.1, which stems from a failure to perform cross-domain checks in the HTTP/3 redirect handler, potentially leading to the disclosure of sensitive data...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-tornado (UTSA-2026-021488)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021488 advisory. In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for...
CVE-2026-41321
@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP...
CVE-2026-41259
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted...
Incorrect Authorization
Overview github.com/oauth2-proxy/oauth2-proxy is a reverse proxy that provides authentication with Google, Github or other providers. Affected versions of this package are vulnerable to Incorrect Authorization in the email domain validation. An attacker can gain unauthorized access by submitting ...
CVE-2026-40574 OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the emaildomain enforcement option. An attacker may be able to authenticate with an email claim such as [email protected]@company.com and...
OAuth2 Proxy 安全漏洞
OAuth2 Proxy is a product offered by OAuth2 Proxy organizations that can provide a reverse proxy for authentication with Google, Github, or other providers. Versions of OAuth2 Proxy prior to 7.15.2 had security vulnerabilities. These vulnerabilities stemmed from the emaildomain enforcement option...
PT-2026-33223
Name of the Vulnerable Software and Affected Versions OAuth2 Proxy versions prior to 7.15.2 Description An authorization bypass exists within the email domain enforcement option. An attacker can authenticate using a malformed email claim, such as [email protected]@company.com, to satisfy an allow...
PT-2026-22062
Name of the Vulnerable Software and Affected Versions Astro versions 9.0.0 through 9.5.3 Description Astro’s image pipeline contains a flaw that allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts. The inferSize...
Claude Code 输入验证错误漏洞
Claude Code is an open-source proxy encoding tool developed by Anthropic. Versions of Claude Code prior to 1.0.111 contained a vulnerability related to input validation errors. This vulnerability stemmed from the insufficient URL validation in the trusted domain verification mechanism of WebFetch...
Siemens SIMATIC S7-1500 and Ruggedcom ROX Devices Improper Input Validation (CVE-2023-46218)
This flaw allows a malicious HTTP server to set super cookies in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mix...
Astra Linux – Vulnerability in Firefox and Thunderbird
Firefox may have incorrectly parsed a URL and reverted it to the youtube.com domain during parsing of the URL specified in an embed tag. This could have bypassed website security checks that restrict which domains users are allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ES...
Unity Linux 20.1070a Security Update: firefox (UTSA-2025-987436)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-987436 advisory. Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed websi...
EUVD-2025-12102
Malicious code in bioql PyPI...
CVE-2025-56200
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leadi...
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter
Summary When using Astro's Cloudflare adapter @astrojs/cloudflare configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served...
Security Bulletin: A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, which affects IBM watsonx.data
Summary A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. These can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-27820 DESCRIPTION: A bug in PSL validation...