CVE-2026-39363

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?r...

EUVD-2017-15147

Malware in sbrugna...

CVE-2019-16067

NETSAS Enigma NMS 65.0.0 and prior utilises basic authentication over HTTP for enforcing access control to the web application. The use of weak authentication transmitted over cleartext protocols can allow an attacker to steal username and password combinations by intercepting authentication...

Design/Logic Flaw

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid...

CVE-2017-6080

CVE-2017-6080 affects Zammad versions prior to 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Root cause: missing protection via HTTP Access-Control headers. Attack surface: cross-domain requests to the REST API for users with a valid session cookie, enabling disclosure of results. Impact ran...

CVE-2015-4520

Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow remote attackers to bypass CORS preflight protection mechanisms by leveraging 1 duplicate cache-key generation or 2 retrieval of a value from an incorrect HTTP Access-Control- response header...