CVE-2026-47825

The CVE affects Spring Cloud Gateway Server components (WebMVC and WebFlux gateways) where headers from untrusted proxies (X-Forwarded-For, Forwarded) are forwarded in certain configurations. Root cause: forwarded-header handling without a trusted-proxy basis allows forged headers to reach downst...

CVE-2026-2955

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

CVE-2026-46527

A flaw was found in cpp-httplib, a C++ HTTP/HTTPS library. When a server using cpp-httplib has configured trusted proxies, a remote attacker can send a specially crafted HTTP request with a malformed X-Forwarded-For header. This can lead to undefined behavior, resulting in abnormal process...

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the getclientip process when the server is configured with trusted proxies and receives a specially crafted X-Forwarded-For header that parses to no valid IP segments. An attacker can cause abnormal process...

EUVD-2026-33426

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::settrustedproxies with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid ...

CVE-2026-45364

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for or the configured IP-bearing header. IPv6 clients controlling a typical /6...

Better Auth 安全漏洞

Better Auth is an open-source TypeScript framework for authentication. Versions of Better Auth prior to 1.4.17 and 1.5.0-beta.9 contained security vulnerabilities. These vulnerabilities stemmed from the HTTP rate limiter, which keyed each request based on the exact text IP address in the...

CVE-2018-25349

The CVE-2018-25349 vulnerability affects userSpice 4.3.24. A cross-site scripting flaw arises from crafted X-Forwarded-For header values sent to backup.php, with scripts executing when administrators visit the audit log page. This is the explicit impact described in the connected records. No reme...

CVE-2018-25349 userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header

userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators...

Unity Linux 20.1060e / 20.1070e Security Update: lighttpd (UTSA-2026-016637)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016637 advisory. In lighttpd 1.4.46 through 1.4.63, the modextforwardForwarded function of the modextforward plugin has a stack-based buffer overflow 4 bytes representing -1, as...

CVE-2026-2955 AI Chatbot & Workflow Automation by AIWU <= 1.4.14 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For' Header

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

WordPress plugin AI Chatbot & Workflow Automation by AIWU 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

GHSA-J8H8-75H3-JG53 Fleet has a rate limiting bypass via untrusted client IP headers

Impact Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls. Fleet determines a client’s public IP address using HTT...

Astra Linux – Vulnerability in golang-github-gin-gonic-gin

This affects all versions of the package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client’s IP address can be spoofed by setting the X-Forwarded-For header...

Astra Linux – Vulnerability in Ruby-Rack

Rack is a modular Ruby web server interface. Carefully crafted headers may cause header parsing in Rack to take longer than expected, potentially leading to a denial-of-service issue. The Accept and Forwarded headers are affected. Ruby 3.2 includes fixes for this problem, so Rack applications tha...

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the ForwardAuth middleware when trustForwardHeader is set to false and the deployment is behind a trusted upstream proxy. An attacker can gain unauthorized access to protected backend...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the X-Forwarded-Uri header when the --reverse-proxy setting is enabled and either --skip-auth-regex or --skip-auth-route is configured. An attacker can gain unauthorized access to protected routes by spoofing the...

PYSEC-2026-125

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...

pyLoad 安全漏洞

pyLoad is an open-source download manager written in Python. Versions of pyLoad prior to 0.5.0b3.dev98 contained security vulnerabilities. These vulnerabilities stemmed from the lack of verification of the X-Forwarded-Proto header’s source, leading to race conditions in a multi-threaded...

PT-2026-33705

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get client ip/install mcp config of the file src/backend/base/langflow/api/v1/mcp projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument...