Lucene search
K

12664 matches found

OSV
OSV
added 2026/05/29 6:20 p.m.9 views

GHSA-9G8X-92Q2-P28F NodeVM observability builtins leak host process and HTTP request data

Summary NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The following builtins are not blocked by the dangerous builtin denylist: text diagnosticschannel asynchooks perfhooks These modules are process-wide, not sandbox-local. Sandboxed code c...

8.2CVSS5.8AI score0.00308EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/29 6:20 p.m.14 views

NodeVM observability builtins leak host process and HTTP request data

Summary NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The following builtins are not blocked by the dangerous builtin denylist: text diagnosticschannel asynchooks perfhooks These modules are process-wide, not sandbox-local. Sandboxed code c...

6.9CVSS5.8AI score0.00308EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/05/29 6:17 p.m.19 views

CVE-2026-45627

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

8.2CVSS0.00185EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 5:45 p.m.8 views

CVE-2026-44649

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User Authelia and X-Authentik-Username Authentik HTTP headers to...

9.8CVSS5.8AI score0.00218EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/29 5:8 p.m.12 views

EUVD-2026-33371

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

8.2CVSS5.8AI score0.00185EPSS
Exploits0References1
SUSE Linux
SUSE Linux
added 2026/05/29 3:34 p.m.10 views

Security update for python-urllib3

This update for python-urllib3 fixes the following issue CVE-2026-44431: sensitive information disclosure due to sensitive headers being forwarded across origins in proxied low-level redirects bsc1265267. Patch Instructions: To install this SUSE update use the SUSE recommended installation method...

8.2CVSS5.8AI score0.00527EPSS
Exploits0References4
OSV
OSV
added 2026/05/29 3:34 p.m.5 views

SUSE-SU-2026:2119-1 Security update for python-urllib3

This update for python-urllib3 fixes the following issue - CVE-2026-44431: sensitive information disclosure due to sensitive headers being forwarded across origins in proxied low-level redirects bsc1265267...

8.2CVSS5.8AI score0.00527EPSS
Exploits0References3
CVE
CVE
added 2026/05/29 1:35 p.m.28 views

CVE-2026-45707

n8n-MCP vulnerability CVE-2026-45707 affects HTTP-mode multi-tenant deployments. Before v2.51.2, when ENABLE_MULTI_TENANT=true, per-request target n8n instance is chosen via x-n8n-url/x-n8n-key headers; omitting or partially omitting these headers caused requests to fall back to the operator’s pr...

8.1CVSS5.9AI score0.00235EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/29 1:35 p.m.9 views

CVE-2026-45707 n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that...

8.1CVSS5.9AI score0.00235EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/29 1:35 p.m.34 views

CVE-2026-45707 n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that...

8.1CVSS0.00235EPSS
Exploits0References3
NVD
NVD
added 2026/05/29 11:16 a.m.15 views

CVE-2026-46579

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client- headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client- headers. As a resul...

7.5CVSS0.0023EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/05/29 9:50 a.m.16 views

CVE-2026-46579

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client- headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client- headers. As a resul...

7.4CVSS5.7AI score0.0023EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/29 9:50 a.m.10 views

CVE-2026-46579

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client- headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client- headers. As a resul...

7.5CVSS5.7AI score0.0023EPSS
Exploits0References6
EUVD
EUVD
added 2026/05/29 9:50 a.m.10 views

EUVD-2026-33274

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client- headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client- headers. As a resul...

7.4CVSS5.7AI score0.0023EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/29 9:50 a.m.55 views

CVE-2026-46579 Openshift/router: openshift/router: mtls client certificate spoofing via unstripped x-ssl-client headers on http frontend

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client- headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client- headers. As a resul...

7.4CVSS0.0023EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/29 9:50 a.m.15 views

CVE-2026-46579 Openshift/router: openshift/router: mtls client certificate spoofing via unstripped x-ssl-client headers on http frontend

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client- headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client- headers. As a resul...

7.4CVSS5.7AI score0.0023EPSS
Exploits0References5
CVE
CVE
added 2026/05/29 9:50 a.m.25 views

CVE-2026-46579

OpenShift Router flaw: when Route.insecureEdgeTerminationPolicy is Allow, the HTTP frontend does not strip X-SSL-Client-* headers, enabling an unauthenticated attacker to craft requests that bypass mutual TLS authentication by impersonating client certificate identities. Affected component: OpenS...

7.5CVSS5.7AI score0.0023EPSS
Exploits0References6Affected Software2
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.10 views

Red Hat OpenShift Container Platform 授权问题漏洞

Red Hat OpenShift Container Platform is a platform developed by Red Hat Inc. It helps enterprises develop, deploy, and manage existing container-based applications across physical, virtual, and public cloud infrastructures. There is an authorization vulnerability in Red Hat OpenShift Container...

7.4CVSS5.8AI score0.0023EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.10 views

PT-2026-45023

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.4 Description NodeVM exposes process-wide observability builtins when they are permitted via require.builtin. Specifically, the diagnostics channel, async hooks, and perf hooks modules are not included in the dangero...

6.9CVSS5.3AI score0.00308EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.8 views

n8n-MCP 访问控制错误漏洞

n8n-MCP is a model context protocol server developed by Romuald Członkowski, an individual developer. Versions of n8n-MCP prior to 2.51.2 contained an access control vulnerability. This vulnerability arises when multi-tenant mode is enabled, and headers are omitted or only partially provided duri...

8.1CVSS5.9AI score0.00235EPSS
Exploits0References4
Rows per page
Query Builder