Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades

Impact Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or...

CVE-2026-27193

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

Feathers 信息泄露漏洞

Feathers is a lightweight web framework developed by Feathers OpenSource. It is used to create APIs and real-time applications using TypeScript or JavaScript. Feathers versions 5.0.39 and earlier contained an information leakage vulnerability. This vulnerability stemmed from the fact that all HTT...

CVE-2025-67685

A Server-Side Request Forgery SSRF vulnerability CWE-918 vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext...

CVE-2025-67685

A Server-Side Request Forgery SSRF vulnerability CWE-918 vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext...

CVE-2025-67685

Fortinet FortiSandbox is affected by CVE-2025-67685 via an SSRF flaw in versions 4.0–5.0.4 (including 4.2 and 4.4). An authenticated attacker can proxy internal plaintext endpoints by crafting HTTP requests; ZDI mentions potential remote code execution through web socket handling. Remediation: up...

SUSE CVE-2025-11393

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allo...

GO-2025-4241 Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access in github.com/RedHatInsights/runtimes-inventory-operator

Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access in github.com/RedHatInsights/runtimes-inventory-operator...

Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allo...

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the misconfiguration of the internal proxy component. An attacker can gain unauthorized cluster administrator privileges by sending crafted commands through the internal proxy...

GHSA-CC8C-28GJ-PX38 Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allo...

CVE-2025-11393

The CVE-2025-11393 entry concerns a misconfigured internal proxy in runtimes-inventory-rhel8-operator. The root cause is an internal proxy component that attaches the cluster’s main administrative credentials to any command, enabling a standard user to issue unauthorized commands with full cluste...

EUVD-2025-28246

Malicious code in bioql PyPI...

CVE-2019-4119

IBM Cloud Private Kubernetes API server 2.1.0, 3.1.0, 3.1.1, and 3.1.2 can be used as an HTTP proxy to not only cluster internal but also external target IP addresses. IBM X-Force ID: 158145...

CVE-2000-0007

Trend Micro PC-Cillin does not restrict access to its internal proxy port, allowing remote attackers to conduct a denial of service...

CVE-2000-0007

Trend Micro PC-Cillin does not restrict access to its internal proxy port, allowing remote attackers to conduct a denial of service...