CVE-2026-54761

CVE-2026-54761 – Traefik Kubernetes Gateway crossProviderNamespaces bypass : The issue allows an HTTPRoute outside the allow-listed namespace to expose internal Traefik services (e.g., api@internal, dashboard@internal, rest@internal) via cross-provider TraefikService references when the route use...

PT-2026-50495

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 3.6.21 Traefik versions prior to 3.7.5 Description An issue exists in the Kubernetes Gateway provider regarding the crossProviderNamespaces allowlist. When HTTPRoute rules declare multiple backendRefs Weighted Round...

Improper Access Control

Traefik is vulnerable to Improper Access Control. The vulnerability is due to insufficient validation of TraefikService backend references ending with @internal, which allows an attacker with HTTPRoute creation permissions to access the internal REST provider and perform unauthorized configuratio...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the handling of internal service references by the Gateway API provider. An attacker can gain unauthorized dynamic configuration write access by creating or updating an HTTPRoute that targets rest@internal, even...

PT-2026-40716

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.46 Traefik versions prior to 3.6.17 Traefik versions prior to 3.7.1 Description Traefik's Kubernetes Gateway API provider contains an authorization bypass that allows a tenant with HTTPRoute creation permissions ...

CVE-2026-35657 OpenClaw < 2026.3.25 - Authorization Bypass in HTTP Session History Route

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via unsanitized header or query parameter match values in the HTTPRoute resource. An attacker can bypass listener hostname constraints and...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via unsanitized header or query parameter match values in the HTTPRoute resource. An attacker can bypass listener hostname constraints and...

CVE-2026-29777 Traefik has a kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can...

EUVD-2026-11201

Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values...

GHSA-8Q2W-WR49-WHQJ Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values

Summary There is a potential vulnerability in Traefik's Kubernetes Gateway provider related to rule injection. A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. ...

Traefik 注入漏洞

Traefik is an open-source reverse proxy and load balancing tool developed by Traefik. Versions of Traefik prior to 3.6.10 had a injection vulnerability. This vulnerability stems from tenants who have access to write HTTPRoute resources being able to inject rule tokens through uncleaned header or...

GO-2026-4554 esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route in github.com/esm-dev/esm.sh

esm.sh has SSRF localhost/private-network bypass in /https module route in github.com/esm-dev/esm.sh...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /https route handler. An attacker can access internal network resources and retrieve sensitive information by supplying a crafted domain that resolves to a loopback or private IP address, thereby...

esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route

Summary An SSRF vulnerability CWE-918 exists in esm.sh’s /https fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains for example, 127.0.0.1.nip.io resolving to 127.0.0.1. This allows a...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /https route handler. An attacker can access internal network resources and retrieve sensitive information by supplying a crafted domain that resolves to a loopback or private IP address, thereby...

GHSA-P2V6-84H2-5X4R esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route

Summary An SSRF vulnerability CWE-918 exists in esm.sh’s /https fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains for example, 127.0.0.1.nip.io resolving to 127.0.0.1. This allows a...

CVE-2026-27730 esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route

esm.sh is a no-build content delivery network CDN for web development. Versions up to and including 137 have an SSRF vulnerability CWE-918 in esm.sh’s /https fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypass...

EUVD-2019-12030

Malware in sbrugna...

CVE-2025-3506 Potentially senitive path exposed via unauthenticated http route

Files to be deployed with agents are accessible without authentication in Checkmk 2.1.0, Checkmk 2.2.0, Checkmk 2.3.0 and Checkmk 2.4.0b6 allows attacker to access files that could contain secrets...