CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

20 matches found

SUSE CVE•added 2026/05/05 1:45 a.m.•1 views

SUSE CVE-2026-40912

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches...

8.2CVSS5.7AI score0.00098EPSS

Exploits1References3

Vulnrichment•added 2026/04/30 8:38 p.m.•1 views

CVE-2026-40912 Traefik: StripPrefixRegex auth bypass via Path/RawPath desync

7.8CVSS5.7AI score0.00098EPSS

Exploits1References4

GithubExploit•added 2026/04/19 5:24 p.m.•83 views

Exploit for Special Element Injection in Apache Apisix

CVE-2026-31908 - Apache APISIX Header Injection Exploit !Se...

9.1CVSS5.8AI score0.00043EPSS

Exploits1

RedhatCVE•added 2026/04/16 1:22 p.m.•1 views

CVE-2026-31908

Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue...

9.1CVSS5.8AI score0.00043EPSS

Exploits1References1

Vulnrichment•added 2026/04/14 8:6 a.m.•0 views

CVE-2026-31908 Apache APISIX: forward auth plugin allows header injection

5.8AI score0.00043EPSS

Exploits1References1

Cvelist•added 2026/04/14 8:6 a.m.•23 views

CVE-2026-31908 Apache APISIX: forward auth plugin allows header injection

0.00043EPSS

Exploits1References1

EUVD•added 2026/04/14 8:6 a.m.•0 views

EUVD-2026-22225

5.8AI score0.00043EPSS

Exploits1References1

CVE•added 2026/04/14 8:6 a.m.•12 views

CVE-2026-31908

Apache APISIX (forward-auth plugin) is affected by a header injection vulnerability (CVE-2026-31908) tracked across multiple feeds. Affects versions 2.12.0 through 3.15.0; exploitation arises from improper sanitization of CRLF sequences in the forward-auth plugin, enabling injection of HTTP heade...

9.1CVSS5.8AI score0.00043EPSS

Exploits1References2Affected Software1

SUSE CVE•added 2026/03/10 12:24 a.m.•0 views

SUSE CVE-2026-30851

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forwardauth copyheaders does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2...

8.8CVSS5.7AI score0.00023EPSS

Exploits1References4

OSV•added 2026/03/07 4:28 p.m.•3 views

CVE-2026-30851 Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation

8.1CVSS5.7AI score0.00023EPSS

Exploits1References6

Github Security Blog•added 2026/03/06 11:38 p.m.•8 views

Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation

Summary Caddy's forwardauth directive with copyheaders generates conditional header-set operations that only fire when the upstream auth service includes the named header in its response. No delete or remove operation is generated for the original client-supplied request header with the same name...

8.8CVSS5.9AI score0.00023EPSS

Exploits1References6Affected Software1

ATTACKERKB•added 2026/03/05 4:15 p.m.•3 views

CVE-2026-26998

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is...

4.4CVSS5.8AI score0.00042EPSS

Exploits0References4Affected Software1

EUVD•added 2025/10/03 8:7 p.m.•3 views

EUVD-2024-30440

Malicious code in bioql PyPI...

6.3CVSS6.5AI score0.00466EPSS

Exploits0References3

RedhatCVE•added 2025/02/14 11:39 a.m.•7 views

CVE-2024-32638

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...

6.3CVSS6.9AI score0.00466EPSS

Exploits0References1

OSV•added 2024/05/04 7:16 a.m.•22 views

BIT-APISIX-2024-32638 Apache APISIX: Forward-Auth Request Smuggling

6.3CVSS6.3AI score0.00466EPSS

Exploits0References3

NVD•added 2024/05/02 10:15 a.m.•13 views

CVE-2024-32638

6.3CVSS6.6AI score0.00466EPSS

Exploits0References2

Cvelist•added 2024/05/02 9:20 a.m.•18 views

CVE-2024-32638 Apache APISIX: Forward-Auth Request Smuggling

6.8AI score0.00466EPSS

Exploits0References2

CVE•added 2024/05/02 9:20 a.m.•113 views

CVE-2024-32638

This CVE (CVE-2024-32638) concerns Apache APISIX and the forward-auth plugin, where an Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) vulnerability exists. Affected versions are APISIX 3.8.0 and 3.9.0; upgrading to 3.8.1, 3.9.1, or newer mitigates the issue. The vulnerabili...

6.3CVSS6.4AI score0.00466EPSS

Exploits0References2Affected Software1

Vulnrichment•added 2024/05/02 9:20 a.m.•22 views

CVE-2024-32638 Apache APISIX: Forward-Auth Request Smuggling

6.4AI score0.00466EPSS

Exploits0References2

Positive Technologies•added 2024/05/02 12:0 a.m.•2 views

PT-2024-24735 · Apache · Apache Apisix

Name of the Vulnerable Software and Affected Versions: Apache APISIX versions 3.8.0 through 3.9.0 Description: The issue is related to an Inconsistent Interpretation of HTTP Requests, also known as 'HTTP Request Smuggling', in Apache APISIX when using the forward-auth plugin. Recommendations: For...

6.3CVSS6.3AI score0.00466EPSS

Exploits0References11

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by