31 matches found
CVE-2026-48794 Authelia has an Edge Case Access Control Rule Mismatch
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on SSO for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may b...
CVE-2026-53899 Cross-origin cookies could be leaked when opening a PDF link
Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0...
CVE-2026-53899
CVE-2026-53899 affects Firefox for iOS. The issue arises from partial domain matching when attaching cookies to PDF requests, enabling a malicious site on a suffix domain to receive cookies belonging to the target site. The root cause is tied to how cookies were matched during PDF handling, leadi...
EUVD-2026-37077
Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0...
Security Vulnerabilities fixed in Firefox for iOS 152.0 — Mozilla
Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in...
PT-2026-49700
Name of the Vulnerable Software and Affected Versions Firefox for iOS versions prior to 152.0 Description Firefox for iOS used partial domain matching when attaching cookies to PDF requests. This behavior allows a malicious site hosted on a suffix domain to receive cookies belonging to the target...
CVE-2026-50090
The Aqara Cloud OAuth Authorization Endpoint open-cn.aqara.com/oauth/authorize is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of...
CVE-2026-50090 Aqara OAuth redirect_uri validation bypass
The Aqara Cloud OAuth Authorization Endpoint open-cn.aqara.com/oauth/authorize is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of...
CVE-2026-50090 Aqara OAuth redirect_uri validation bypass
The Aqara Cloud OAuth Authorization Endpoint open-cn.aqara.com/oauth/authorize is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of...
EUVD-2026-36480
The Aqara Cloud OAuth Authorization Endpoint open-cn.aqara.com/oauth/authorize is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of...
CVE-2026-50090
Technical details about CVE-2026-50090 are not publicly available in the provided documents. Monitor for updates from official advisories to learn affected components, impact, and fixes.
PT-2026-48914
Name of the Vulnerable Software and Affected Versions Aqara Cloud affected versions not specified Description The OAuth Authorization Endpoint "open-cn.aqara.com/oauth/authorize" is subject to a redirect bypass caused by improper validation of unsafe equivalence in input. This flaw allows for...
EUVD-2013-1936
Malware in sbrugna...
EUVD-2021-0944
Malware in sbrugna...
EUVD-2023-49588
Malicious code in bioql PyPI...
CVE-2023-27974
Bitwarden through 2023.2.1 offers password auto-fill when the second-level domain matches, e.g., a password stored for an example.com hosting provider when customer-website.example.com is visited. NOTE: the vendor's position is that "Auto-fill on page load" is not enabled by default...
golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
A flaw was found in Go's net/http/cookiejar standard library package. When following an HTTP redirect to a domain that is not a subdomain match or an exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect...
CVE-2023-45289
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a...
CVE-2023-27974
Bitwarden through 2023.2.1 offers password auto-fill when the second-level domain matches, e.g., a password stored for an example.com hosting provider when customer-website.example.com is visited. NOTE: the vendor's position is that "Auto-fill on page load" is not enabled by default...
ALPINE-CVE-2022-32205
A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl 7.84.0 stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger th...