Lucene search
+L

47 matches found

ATTACKERKB
ATTACKERKB
added 2026/07/06 8:11 a.m.6 views

CVE-2026-49099

Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection', Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component. The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search,...

6AI score0.00341EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:8 a.m.6 views

CVE-2026-48205

Improper Input Validation, Server-Side Request Forgery SSRF vulnerability in Apache Camel DNS component. The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers who...

6.1AI score0.0037EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 7:35 p.m.14 views

symfony/ux-live-component: CSRF Protection Bypass — Accept Header is CORS-Safelisted

Description When using symfony/ux-live-component, methods annotated with LiveAction are invokable from the browser and mutate server-side state via AJAX. Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest gated these invocations on the presence of Accept:...

2.1CVSS5.9AI score
Exploits0References4Affected Software1
Spring Security Advisories
Spring Security Advisories
added 2026/06/10 12:0 a.m.13 views

cve-2026-40999 - HIGH - Spring WS SSRF via unvalidated WS-Addressing reply destinations

cve-2026-40999 - HIGH - Spring WS SSRF via unvalidated WS-Addressing reply destinations...

8.6CVSS6.1AI score0.00383EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.12 views

CVE-2026-45364

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for or the configured IP-bearing header. IPv6 clients controlling a typical /6...

7.3CVSS5.5AI score0.00295EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/05 12:0 a.m.21 views

PT-2026-48903

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final Description Netty is a network application framework for developing protocol servers and clients. The RedisArrayAggregator pre-allocates an ArrayList with an initial...

7.8CVSS5.2AI score0.0038EPSS
Exploits0References59
NVD
NVD
added 2026/05/29 7:16 p.m.13 views

CVE-2026-44649

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User Authelia and X-Authentik-Username Authentik HTTP headers to...

9.8CVSS0.00218EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.14 views

PT-2026-40545

Name of the Vulnerable Software and Affected Versions SillyTavern versions prior to 1.18.0 Description An authentication bypass and account takeover issue exists when Authelia or Authentik SSO is enabled. The software accepts Remote-User for Authelia and X-Authentik-Username for Authentik HTTP...

9.8CVSS5.8AI score0.00218EPSS
Exploits0References11
OSV
OSV
added 2026/04/08 3:4 p.m.1 views

GHSA-5MWJ-V5JW-5C97 LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

Summary The webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected...

5CVSS6AI score0.00126EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/02/14 12:0 a.m.9 views

WordPress plugin BlueSnap Payment Gateway for WooCommerce 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

7.5CVSS5.8AI score0.00281EPSS
Exploits0References3
Snyk
Snyk
added 2026/02/03 6:42 p.m.6 views

Authorization Bypass Through User-Controlled Key

Overview agents is an A home for your AI agents Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the createHeaderBasedEmailResolver function. An attacker can redirect inbound email to arbitrary internal objects by manipulating the Message-ID...

7.2CVSS5.8AI score0.00366EPSS
Exploits0References2
OSV
OSV
added 2026/02/03 6:42 p.m.8 views

GHSA-R7X9-8PH7-W8CG Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing

Summary An Insecure Direct Object Reference CWE-639 has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation o...

6.9CVSS5.7AI score0.00366EPSS
Exploits0References4
NVD
NVD
added 2026/02/03 12:16 p.m.18 views

CVE-2026-1664

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

6.9CVSS0.00366EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/03 11:39 a.m.12 views

CVE-2026-1664

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

6.9CVSS5.5AI score0.00366EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/02/03 11:39 a.m.6 views

CVE-2026-1664 Insecure Direct Object Reference (IDOR) via Header-Based Email Routing

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

6.9CVSS5.5AI score0.00366EPSS
Exploits0References1
CVE
CVE
added 2026/02/03 11:39 a.m.34 views

CVE-2026-1664

Summary: CVE-2026-1664 affects Cloudflare Agents SDK prior to 0.3.7, due to an IDOR in header-based email routing. Root cause: createHeaderBasedEmailResolver() parses Message-ID and References to derive target agentName/agentId without cryptographic/origin verification, letting external headers s...

6.9CVSS5.5AI score0.00366EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 10:50 a.m.8 views

CVE-2022-37724

Project Wonder WebObjects 1.0 through 5.4.3 is vulnerable to Arbitrary HTTP Header injection and URL- or Header-based XSS reflection in all web-server adaptor interfaces...

6.1CVSS6.3AI score0.00546EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2025/10/14 12:0 a.m.4 views

Linux Distros Unpatched Vulnerability : CVE-2018-1335

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line o...

9.3CVSS7AI score0.93972EPSS
Exploits10References2
Positive Technologies
Positive Technologies
added 2025/10/10 12:0 a.m.6 views

PT-2025-41612

Name of the Vulnerable Software and Affected Versions BigFix WebUI affected versions not specified Description The BigFix WebUI application is susceptible to Host Header Poisoning Attacks. The application responds with HOST information from the HTTP header field. Recommendations At the moment,...

6.1CVSS6.4AI score0.00181EPSS
Exploits0References6
NVD
NVD
added 2025/08/29 10:15 p.m.6 views

CVE-2025-57752

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers such as Cookie or...

6.2CVSS0.00325EPSS
Exploits0References4
Rows per page
Query Builder