CVE-2020-26163

BigBlueButton Greenlight before 2.5.6 allows HTTP header Host and Origin attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link...

SUSE CVE-2025-43864

React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the...

CVE-2025-2833

A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been classified as problematic. Affected is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to inefficient regular expression complexity. It is possible to launch th...

Oracle Linux 9 : git-lfs (ELSA-2024-2724)

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-2724 advisory. 3.4.1-2 - Rebuild with new Golang - Resolves: RHEL-32570, RHEL-28385, RHEL-28402, RHEL-28432 Tenable has extracted the preceding description block...

Multilaser RE160V and RE163V Security Vulnerability

The Multilaser RE160V and Multilaser RE163V are both wireless routers from Multilaser. A security vulnerability exists in the Multilaser RE160V firmware version v12.03.01.09pt, RE163V firmware version v12.03.01.10pt. An attacker can use this vulnerability to bypass access control and gain full...

GHSA-CRQF-Q9FP-HWJW Spring-Kafka has Java Deserialization vulnerability When Improperly Configured

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers...

ApPHP MicroCMS 1.0.1 Host Header Injection

==================================================================================================================================== | Title : ApPHP MicroCMS v1.0.1 Host header attack Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro | | Vendor :...

SUSE CVE-2016-5386

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI...

SUSE-SU-2023:0079-1 Security update for python-future

This update for python-future fixes the following issues: - CVE-2022-40899: Fixed an issue that could allow attackers to cause an excessive CPU usage via a crafted Set-Cookie header bsc1206673...

CVE-2022-31109 HTTP Host Header Attack Vulnerability in laminas-diactoros

laminas-diactoros is a PHP package containing implementations of the PSR-7 HTTP message interfaces and PSR-17 HTTP message factory interfaces. Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol,...

GHSA-C8RP-CGF4-937W mezzio-swoole Applications Using Diactoros Vulnerable to HTTP Host Header Attack

Impact mezzio-swoole applications using Diactoros for their PSR-7 implementation, and which are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request...

GHSA-8274-H5JP-97VR Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack

Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-...

Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack.

Description Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from...

Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack.

Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-...

haproxy: it can lead to a situation with an attacker-controlled HTTP Host header because a mismatch between Host and authority is mishandled

haproxy was found to be vulnerable to HTTP host header attack: This problem creates a scenario in which it's possible to drop the Host header and use the authority only after forwarding to a second http2 layer, possibly causing two differing values of Host at a different stage. The highest threat...

CVE-2021-38751

A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponentconstants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM...

CVE-2021-38751

CVE-2021-38751 describes a host header injection in ExponentCMS 2.6 and earlier, exploitable via the file /exponent_constants.php. A crafted HTTP Host header can cause links on the page to be rewritten to arbitrary values, creating a potential MITM attack vector. The publicly referenced sources (...

CVE-2021-38290

A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuelconstants.php and fuel/modules/fuel/libraries/Asset.php. An attacker can use a man in the middle attack such as phishing...

Design/Logic Flaw

A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuelconstants.php and fuel/modules/fuel/libraries/Asset.php. An attacker can use a man in the middle attack such as phishing...

CVE-2021-38290

CVE-2021-38290 affects FUEL CMS 1.5.0, with the issue localized to fuel/modules/fuel/config/fuel_constants.php and fuel/modules/fuel/libraries/Asset.php. The vulnerability is described as a host header attack that could enable man-in-the-middle-style abuse (e.g., phishing). The Connected document...