753 matches found
Cedar Gate EZ-NET <= 6.8.0 - Cross-Site Scripting
The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. This leads to a Reflected Cross-Site Scripting vulnerability. id: CVE-2022-23397 info: name: Cedar Gate EZ-NET = 6.8.0 - Cross-Si...
CVE-2026-49353
Summary (CVE-2026-49353): 9Router before 0.4.46 has a local‑only access gate in src/dashboardGuard.js that relies on Host and Origin headers to classify requests as local. In proxied/tunneled deployments (reverse proxy, Cloudflare Tunnel, Tailscale), these headers are attacker‑controlled, enablin...
CVE-2026-49353 9Router: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest to protect /api/mcp/, /api/tunnel/, and /api/cli-tools/, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP...
CVE-2026-55638
9router prior to version 0.5.2 exposed an unauthenticated access path via /codex that bypassed the API-key gate due to an incomplete rewrite handling. An attacker could send requests to /codex/* and trigger upstream provider calls using operator-stored LLM provider credentials. The vulnerability ...
CVE-2026-58424
Permanent Fork PR Workflow Approval Gate Bypass...
CVE-2026-58424 Permanent Fork PR Workflow Approval Gate Bypass
Permanent Fork PR Workflow Approval Gate Bypass...
CVE-2026-58424
Permanent Fork PR Workflow Approval Gate Bypass...
CVE-2026-58424
Technical details about CVE-2026-58424 are not publicly available in the provided documents. No product, vector, or impact specifics are included. Monitor for updates in official advisories.
CVE-2026-58424 Permanent Fork PR Workflow Approval Gate Bypass
Permanent Fork PR Workflow Approval Gate Bypass...
PT-2026-55657
Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A flaw exists that allows for a permanent fork pull request workflow approval gate bypass. This issue enables an attacker to circumvent the required approval...
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
Summary The fix for CVE-2026-46339 unauthenticated RCE via unprotected MCP plugin routes introduced a local-only access gate in src/dashboardGuard.js that restricts spawn-capable routes /api/mcp/, /api/tunnel/, /api/cli-tools/ to loopback requests. The gate determines "local" by inspecting the Ho...
GHSA-WV26-J37Q-2G7P OpenClaw's Slack plugin approvals used the exec approver gate for plugin actions
Summary Slack plugin approvals used the exec approver gate for plugin actions. In affected versions, a Slack user authorized only for exec approvals could resolve a plugin approval through the exec approver gate. This advisory is scoped to the named feature and configuration. It does not change...
PT-2026-55457
9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest to protect /api/mcp/, /api/tunnel/, and /api/cli-tools/, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP...
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
The fix for CVE-2026-46339 unauthenticated RCE via unprotected MCP plugin routes introduced a local-only access gate in src/dashboardGuard.js that restricts spawn-capable routes /api/mcp/, /api/tunnel/, /api/cli-tools/ to loopback requests. The gate determines "local" by inspecting the Host and...
MAL-2026-6723 Malicious code in electron-orbit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7faf51a6c9d6ed9fce8cf9de9ea8afee0e9c3dc1fb254e8cd0c3c2a8ca61323f On require'electron-orbit', the module unconditionally fires an auto-prefetch pipeline in Node contexts when no document is present that opens a raw...
CVE-2026-49858
API Platform Core contains a cross-user attribute leak in JSON:API and HAL item normalizers due to a missing isCacheKeySafe gate. Affected versions: 2.6.0 up to 4.1.28, 4.2.25, and 4.3.11 (i.e., before 4.1.29, 4.2.26, 4.3.12). Root cause: componentsCache arrays are keyed on $context['cache_key'] ...
DRUPAL-CONTRIB-2026-068
This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently re-evaluate a human-in-the-loop approval gate where the workflow iterates more than once. This may result in execution of workflows that were not intended by the use...
EUVD-2026-40414
Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication AUTHUSERNAME/AUTHPASSWORD, is reachable unauthenticated at /mcp because the nginx front-end does not apply the authrequest gate to that path and the MCP server auto-mints a...
CVE-2026-58446
CVE-2026-58446 affects Presenton before 0.8.8-beta. The MCP server deployed with session authentication in server/Docker setups is reachable unauthenticated at /mcp because the nginx front-end does not apply the auth gate to that path, and the MCP server auto-mints a valid internal session token ...
Malicious code in cursed-modules (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45b6aab954f9b8edbc759c97eabe39d7a070c4dbe852586422761ad0f8c7ad95 [email protected] executes attacker-controlled code on three separate triggers and operates a bidirectional command channel against a hardcoded...