Lucene search
K

34 matches found

EUVD
EUVD
added 4 days ago5 views

EUVD-2026-39508

File Browser: Authentication Bypass via Proxy Auth Header Forgery...

9.1CVSS6.1AI score0.00337EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/29 5:17 p.m.12 views

EUVD-2026-40160

LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the getremoteaddress function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attacker...

6.9CVSS5.9AI score0.00192EPSS
Exploits0References4
NVD
NVD
added 2026/06/25 7:16 p.m.15 views

CVE-2026-54089

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication auth.method=proxy, any unauthenticated attacker who can reach the server...

9.1CVSS0.00337EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/25 5:46 p.m.7 views

CVE-2026-54089

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Starting with 2.0.0-rc.1, when FileBrowser is configured with proxy authentication auth.method=proxy, any unauthenticated attacker who can reach the server...

9.1CVSS5.8AI score0.00337EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.12 views

PT-2026-52537

Name of the Vulnerable Software and Affected Versions File Browser versions 2.0.0-rc.1 and later Description When configured with proxy authentication auth.method=proxy, the software improperly trusts upstream identity headers without validating that requests originate from a trusted proxy. An...

9.1CVSS5.7AI score0.00337EPSS
Exploits0References10
Snyk
Snyk
added 2026/06/24 9:17 p.m.4 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the ENABLEREVERSEPROXYAUTHENTICATION process. An attacker can impersonate any user or trigger automatic account creation by forging the configured authentication header in client requests. This is only exploitable...

8.7CVSS6AI score0.00864EPSS
Exploits0References2
NVD
NVD
added 2026/06/18 5:16 p.m.22 views

CVE-2026-56020

The Webmin HTTP server miniserv.pl allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641...

9.2CVSS0.00285EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/18 4:12 p.m.21 views

CVE-2026-56020 Webmin HTTP header authentication bypass

The Webmin HTTP server miniserv.pl allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641...

9.2CVSS0.00285EPSS
Exploits0References4
CVE
CVE
added 2026/06/18 4:12 p.m.43 views

CVE-2026-56020

The CVE-2026-56020 affects the Webmin HTTP server (miniserv.pl). An unauthenticated attacker can bypass authentication by sending a forged HTTP header to impersonate any user who has an SSL client certificate configured, effectively spoofing certificate DNs to gain access. This is a network-based...

9.2CVSS5.3AI score0.00285EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/18 4:12 p.m.11 views

EUVD-2026-37909

The Webmin HTTP server miniserv.pl allows unauthenticated attackers to impersonate any user with a configured SSL client certificate by sending a forged HTTP header. A remote attacker can spoof certificate DNs and authenticate as any user. Fixed in 2.641...

9.2CVSS5.3AI score0.00285EPSS
Exploits0References4
CVE
CVE
added 2026/04/10 4:3 p.m.14 views

CVE-2026-35656

OpenClaw is affected pre-2026.3.22 by an authentication bypass in X-Forwarded-For header processing when trustedProxies is configured, enabling an attacker to spoof loopback hops and bypass canvas authentication and rate-limiting protections by forging forwarding headers. The issue impacts the au...

6.5CVSS5.8AI score0.00314EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/04/08 7:37 p.m.14 views

CVE-2026-39411

CVE-2026-39411 (LobeHub) describes an unauthenticated authentication bypass on the webapi routes via a forgeable, client-controlled X-lobe-chat-auth header. Before version 2.1.48, the webapi authentication layer trusts an XOR-obfuscated header (hardcoded key: “LobeHub · LobeHub”) and treats decod...

7.1CVSS6AI score0.00126EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/04/08 3:4 p.m.8 views

User Impersonation

Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

7.1CVSS5.8AI score0.00126EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/10 4:56 p.m.1 views

CVE-2026-30956 OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the...

9.9CVSS5.8AI score0.00494EPSS
Exploits1References2
CVE
CVE
added 2026/03/10 4:56 p.m.22 views

CVE-2026-30956

CVE-2026-30956 relates to OneUptime with advisory GHSA-R5V6-2599-9G3M and OSV-GHSA-R5V6-2599-9G3M describing an authorization bypass in v10.0.20. The root cause is that the API trusts a client-controlled is-multi-tenant-query header to bypass tenant isolation, causing the system to skip Table/Que...

9.9CVSS5.8AI score0.00494EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/05 1:57 a.m.8 views

CVE-2026-27981

HomeBox is a home inventory and organization system. Prior to 0.24.0, the authentication rate limiter authRateLimiter tracks failed attempts per client IP. It determines the client IP by reading, 1. X-Real-IP header, 2. First entry of X-Forwarded-For header, and 3. r.RemoteAddr TCP connection...

7.4CVSS6AI score0.00262EPSS
Exploits0References1
Snyk
Snyk
added 2026/03/04 3:33 a.m.2 views

Brute Force

Overview Affected versions of this package are vulnerable to Brute Force via the authentication rate limiting process. An attacker can bypass authentication rate limiting by forging the X-Real-IP header, allowing unlimited authentication attempts from a single source. Remediation Upgrade...

9.1CVSS5.8AI score0.00262EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/12/16 11:55 p.m.5 views

CVE-2025-66482

Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option trustProxy has been added in config file to...

6.9CVSS6.9AI score0.00285EPSS
Exploits1References1
NVD
NVD
added 2025/12/16 12:16 a.m.11 views

CVE-2025-66482

Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option trustProxy has been added in config file to...

6.9CVSS0.00285EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/12/15 11:18 p.m.4 views

CVE-2025-66482 Misskey has a login rate limit bypass via spoofed X-Forwarded-For header

Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option trustProxy has been added in config file to...

6.9CVSS6.5AI score0.00285EPSS
Exploits1References2
Rows per page
Query Builder