Lucene search
K

476 matches found

EUVD
EUVD
added 6 hours ago4 views

EUVD-2026-43306

A Server-Side Request Forgery SSRF protection bypass existed in the htmltomarkdown expansion module of misp-modules. The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges...

8.3CVSS6.1AI score
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/07/06 2:40 a.m.9 views

golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing

A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname for example, xn--example-.com returns example.com instead of an error. Applications that validate the ASCII form then convert to Unicode may grant acce...

9.6CVSS6.6AI score0.00478EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/06/24 1:20 p.m.32 views

CVE-2026-57289

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to...

0.00108EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/24 1:20 p.m.7 views

EUVD-2026-38770

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to...

4.8CVSS5.9AI score0.00108EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 1:20 p.m.103 views

CVE-2026-57289

The vulnerability affects Jenkins Bitbucket Push and Pull Request Plugin prior to 3.3.9. The plugin unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint. This misconfiguration a...

4.8CVSS5.9AI score0.00108EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.13 views

PT-2026-51799

Name of the Vulnerable Software and Affected Versions Jenkins Bitbucket Push and Pull Request Plugin versions prior to 3.3.9 Description The plugin unconditionally disables SSL/TLS certificate and hostname validation when sending Bearer token authenticated requests to the configured Bitbucket...

4.8CVSS5.8AI score0.00108EPSS
Exploits0References4
NVD
NVD
added 2026/06/16 7:17 p.m.21 views

CVE-2026-53859

OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block throu...

6.5CVSS0.0021EPSS
Exploits0References2
CVE
CVE
added 2026/06/16 6:5 p.m.18 views

CVE-2026-53859

Technical details (affected components, root cause, specific versions, exploitation) are not publicly available in the provided documents. Monitor for updates.

6.5CVSS5.3AI score0.0021EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.20 views

PT-2026-49776

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.26 Description An issue exists in hostname validation where trailing-dot notation in model or workspace-derived URLs can be used to bypass blocklist comparisons. This occurs because hostname checks treat hosts...

6.5CVSS5.2AI score0.0021EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/13 12:34 a.m.11 views

EUVD-2026-36627

OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoin...

6.5CVSS5.3AI score0.00265EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/12 9:57 p.m.9 views

CVE-2026-53839 OpenClaw < 2026.5.7 - Hostname Prefix Matching Bypass in Trusted Retry Endpoint Validation

OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoin...

6.5CVSS5.3AI score0.00265EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.17 views

PT-2026-49043

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.7 Description An issue exists in the retry endpoint checks where hostname validation allows matching hostname prefixes instead of requiring exact hostnames. This allows attackers to craft a hostname prefix tha...

6.5CVSS5.2AI score0.00265EPSS
Exploits0References4
NVD
NVD
added 2026/06/05 7:16 p.m.17 views

CVE-2026-46391

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the...

8.7CVSS0.00457EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/05 6:18 p.m.11 views

EUVD-2026-34882

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the...

8.7CVSS5.5AI score0.00457EPSS
Exploits0References1
CVE
CVE
added 2026/06/05 6:18 p.m.34 views

CVE-2026-46391

CVE-2026-46391 concerns HAX CMS/Open-apis where, from versions before 26.0.0, multiple functions perform substring-only hostname validation for basic auth destinations. The underlying issue is substring matching that can be manipulated by an attacker to exfiltrate credentials by directing request...

8.7CVSS5.5AI score0.00457EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/22 5:42 p.m.10 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the ToASCII and ToUnicode functions. An attacker can bypass hostname validation by submitting Punycode-encoded labels that decode to ASCII-only labels, potentially leading to privilege escalation in...

9.6CVSS5.6AI score0.00478EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 5:42 p.m.8 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the ToASCII and ToUnicode functions. An attacker can bypass hostname validation by submitting Punycode-encoded labels that decode to ASCII-only labels, potentially leading to privilege escalation in...

9.6CVSS5.6AI score0.00478EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 2:44 p.m.11 views

Server-side Request Forgery (SSRF)

Overview @haxtheweb/open-apis is a Shared API infrastructure for HAXTheWeb advanced capabilities like importing, parsing, analysis, migration Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper hostname validation in the cacheAddress, JOSHelpers, and...

8.7CVSS5.4AI score0.00457EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:29 p.m.25 views

Server-side Request Forgery (SSRF)

Overview deepseek-tui is an Install and run deepseek and deepseek-tui binaries from GitHub release artifacts. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchurl process. An attacker can gain unauthorized access to internal resources by supplying ...

7.4CVSS5.8AI score0.00239EPSS
Exploits0References2
OSV
OSV
added 2026/05/14 8:22 p.m.11 views

CLSA-2026-1778768341 python: Fix of 4 CVEs

CVE-2019-9740: reject control characters in HTTP URL paths in httplib.HTTPConnection.putrequest to prevent CRLF header injection - CVE-2019-18348: reject control characters in hostnames in httplib.HTTPConnection.init via a new validatehost helper to prevent CRLF header injection the glibc...

6.1CVSS7.3AI score0.05328EPSS
Exploits1References1
Rows per page
Query Builder