CVE-2026-24029 DNS over HTTPS ACL bypass

When the earlyacldrop earlyACLDrop in Lua option is disabled default is enabled on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL...

CVE-2026-24029

When the earlyacldrop earlyACLDrop in Lua option is disabled default is enabled on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL...

Fedora 42 : cpp-httplib (2026-04a531cece)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-04a531cece advisory. Update to 0.37.2 - Fixes silent TLS certificate verification bypass on HTTPS Redirect via proxy CVE-2026-32627, rhbz2448105 Source:...

CVE-2026-30563

creationtimestamp| type| source ---|---|--- 2026-03-30 16:09:12+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mic2d6kslw2s...

EUVD-2026-17062

A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential...

Cleartext Transmission of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information in the process of establishing HTTPS tunnels through a configured HTTP proxy. An attacker can intercept sensitive session cookies by performing a man-in-the-middle attack or by controlling...

CVE-2026-5119

CVE-2026-5119 concerns libsoup. The flaw: when establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext inside the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, enabling ...

CVE-2026-5119

A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential...

CVE-2021-27142

An issue was discovered on FiberHome HG6245D devices through RP2613. The web management is done over HTTPS, using a hardcoded private key that has 0777 permissions...

CVE-2026-31921

creationtimestamp| type| source ---|---|--- 2026-03-26 21:35:15+00:00| seen| Telegram/zW9IZrd6TGtn6tlC-J0V1NpAAnhFTvKo2N1YPzc1YC33cco 2026-03-26 21:35:36+00:00| seen| Telegram/jNlDBTackbRa-OzLBD4eltRa4dE7lS0-uVg4cHfoz-Hg 2026-04-08 01:30:07+00:00| seen|...

Update Rollup 1 for System Center 2025 Virtual Machine Manager

Update Rollup 1 for System Center 2025 Virtual Machine Manager Applies to Microsoft System Center 2025 Virtual Machine Manager Introduction This article lists the new enhancements and bug fixes that come with System Center Virtual Machine Manager 2025 UR1 release. This article also provides the...

Sensitive Cookie in HTTPS Session Without "Secure" Attribute

Overview @grackle-ai/server is a Grackle server orchestrator — spawns and wires core gRPC, web-server HTTP, MCP, and PowerLine Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute in the session process. An attacker can intercept session...

@grackle-ai/server has a Missing Secure Flag on Session Cookie

Impact The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections. Since the server binds to 127.0.0.1 by default and uses HTTP not HTTPS, this is acceptable for localhost use. However, when...

GHSA-5J35-XR4G-VWF4 @grackle-ai/server has a Missing Secure Flag on Session Cookie

Impact The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections. Since the server binds to 127.0.0.1 by default and uses HTTP not HTTPS, this is acceptable for localhost use. However, when...

CVE-2026-33407 Wallos: SSRF via HTTP Proxy Environment Variable

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTPPROXY and HTTPSPROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search...

CVE-2026-32947

A flaw was found in Harden-Runner. A remote attacker with existing code execution within a GitHub Actions workflow could exploit a DNS over HTTPS DoH vulnerability to bypass network restrictions. This allows for the exfiltration of sensitive data by encoding it within DoH queries, which appear as...

CVE-2026-32947

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. In versions 2.15.1 and below, a DNS over HTTPS DoH vulnerability allows attackers to bypass egress-policy: block network restrictions by tunneling exfiltrated data through permitted HTTPS endpoints like...

CVE-2026-32947 Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. In versions 2.15.1 and below, a DNS over HTTPS DoH vulnerability allows attackers to bypass egress-policy: block network restrictions by tunneling exfiltrated data through permitted HTTPS endpoints like...

CVE-2026-32947 Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. In versions 2.15.1 and below, a DNS over HTTPS DoH vulnerability allows attackers to bypass egress-policy: block network restrictions by tunneling exfiltrated data through permitted HTTPS endpoints like...

EUVD-2026-13539

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. In versions 2.15.1 and below, a DNS over HTTPS DoH vulnerability allows attackers to bypass egress-policy: block network restrictions by tunneling exfiltrated data through permitted HTTPS endpoints like...