Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the AdminService/StreamWorkflowReplicationMessages endpoint. An attacker can access replication streams and exfiltrate data by connecting to the frontend gRPC server without providing...

CVE-2026-5724 Missing Authentication on Streaming gRPC Replication Endpoint

The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests...

MAL-2025-9264 Malicious code in @protos-team/frontend-server (npm)

The package @protos-team/frontend-server was found to contain malicious code...

Malicious code in @confluence-classic/confluence-frontend-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8cad26a08baa688242974598d13ff7ace16ad461012cab483bcadedb84953fe7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4057 Malicious code in @confluence-classic/confluence-frontend-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8cad26a08baa688242974598d13ff7ace16ad461012cab483bcadedb84953fe7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PYSEC-2025-180

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype...

MAL-2024-2395 Malicious code in @b2bgeo/frontend-server-api-types (npm)

--- -= Per source details. Do not edit below this line.=-...

CVE-2024-23452

Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.51.7.0 on all platforms allows attacker to smuggle request. Vulnerability Cause Description： The httpparser does not comply with the RFC-7230 HTTP 1.1 specification. Attack scenario: If a message is received with both a...

Http2Smugl - Tool to detect and exploit HTTP request smuggling in cases it can be achieved via HTTP/2 -> HTTP/1.1 conversion

This tool helps to detect and exploit HTTP request smuggling in cases it can be achieved via HTTP/2 - HTTP/1.1 conversion by the frontend server. The scheme is as follows: 1. An attacker sends a crafted HTTP/2 request to the target server, which we call frontend. 2. The request is presumably...

Cross site request forgery (csrf)

Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request...