NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the getclientip process when the server is configured with trusted proxies and receives a specially crafted X-Forwarded-For header that parses to no valid IP segments. An attacker can cause abnormal process...

Langflow vulnerable to injection

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function getclientip/installmcpconfig of the file src/backend/base/langflow/api/v1/mcpprojects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument...

EUVD-2026-23762

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function getclientip/installmcpconfig of the file src/backend/base/langflow/api/v1/mcpprojects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument...

CVE-2026-6599 langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function getclientip/installmcpconfig of the file src/backend/base/langflow/api/v1/mcpprojects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument...

Langflow 安全漏洞

Langflow is an open-source visualization framework developed by Langflow for building multi-agent and RAG applications. Versions of Langflow 1.8.3 and earlier contain security vulnerabilities. These vulnerabilities stem from incorrect operations on the function getclientip/installmcpconfig in the...

PT-2026-33705

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get client ip/install mcp config of the file src/backend/base/langflow/api/v1/mcp projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument...

CVE-2026-35391 Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP function in lib/admin/session.ts trusted the first leftmost entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to...

CVE-2026-35391

CVE-2026-35391 affects Bulwark Webmail (lib/admin/session.ts getClientIP) prior to version 1.4.11. The function trusts the first (leftmost) entry of the X-Forwarded-For header, which is client-controlled. This allows an attacker to forge their source IP to bypass IP-based rate limiting (facilitat...

Improper Output Neutralization for Logs

Overview Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the unconditional acceptance of attacker-supplied HTTP headers in the getclientip function. An attacker can manipulate server-visible metadata, logs, and authorization decisions by supplying...

CVE-2025-66577 cpp-httplib Untrusted HTTP Header Handling: X-Forwarded-For/X-Real-IP Trust

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can supply X-Forwarded-For or X-Real-IP headers which...

CVE-2020-19962

A stored cross-site scripting XSS vulnerability in the getClientIp function in /lib/tinwin.class.php of Chaoji CMS 2.39, allows attackers to execute arbitrary web scripts...