FortiClient EMS 7.4.6 Vulnerability Assessment Tool

CVE-2026-35616 is a pre-authentication API bypass in FortiClient EMS 7.4.5 and 7.4.6 that allows remote, unauthenticated attackers to bypass certificate-based authentication through HTTP header spoofing. The Django application trusts user-controllable HTTP headers X-SSL-CLIENT-VERIFY,...

Exploit for Improper Access Control in Fortinet Forticlientems

CVE-2026-35616 Vulnerability Assessment Tool Safely detect wh...

GHSA-CXJ8-GGF2-P57C Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth...

Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth...

curl: CRLF Injection in HAProxy PROXY Protocol via CURLOPT_HAPROXY_CLIENT_IP allows IP spoofing and protocol injection

Summary: CURLOPTHAPROXYCLIENTIP introduced in curl 8.2.0 accepts arbitrary strings without any validation or sanitization before injecting them into the HAProxy PROXY protocol v1 header. An attacker who can influence the value passed to this option e.g., through a web application that proxies...

SUSE CVE-2026-29794

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of...

GHSA-844J-XRRQ-WGH4 OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection

Summary When gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked:...

GO-2026-4830 NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers in github.com/nats-io/nats-server

NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers in github.com/nats-io/nats-server...

CVE-2026-33149

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWEDHOSTS = '' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.buildabsoluteu...

CVE-2026-33314

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @localcheck decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints,...

CVE-2025-69240

Raytha CMS allows an attacker to spoof X-Forwarded-Host or Host headers to attacker controlled domain. The attacker who knows the victim's email address can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser...

CVE-2026-33511

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the localcheck decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to...

SUSE CVE-2026-33246

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NAT...

Linux Distros Unpatched Vulnerability : CVE-2026-33223

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header...

CVE-2026-33223

A flaw was found in NATS-Server. An authenticated attacker could exploit a vulnerability where the Nats-Request-Info: message header was not effectively stripped from inbound messages. This allowed the attacker to spoof their identity to services relying on this header, potentially leading to...

DEBIAN-CVE-2026-33223

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was...

UBUNTU-CVE-2026-33223

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was...

CVE-2026-33223

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was...

DEBIAN-CVE-2026-33246

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NAT...

CVE-2026-33246

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NAT...