CVE-2026-0692

The CVE-2026-0692 entry concerns the BlueSnap Payment Gateway for WooCommerce WordPress plugin. Affected component: the plugin (up to version 3.3.0). Root cause: it validates IPN requests by relying on WooCommerce’s WC_Geolocation::get_ip_address(), which trusts user-controllable headers (e.g., X...

RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

Summary IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. Details - Vulnerable code: rustfs/src/auth.rs:289-304 sets...

CVE-2026-21862

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy...

CVE-2026-21862 RustFS sourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy...

CVE-2026-23517 Fleet has an Access Control vulnerability in debug/pprof endpoints

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...

PT-2026-1292

Name of the Vulnerable Software and Affected Versions Mega-Fence versions 25.1.914 and prior Description The software does not validate a trusted proxy chain when using the X-Forwarded-For XFF header to determine the client IP address. An attacker can manipulate the XFF header to spoof the client...

Remote file existence check vulnerability in `mlflow server` and `mlflow ui` CLIs

Impact Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the mlflow server or mlflow ui commands using an MLflow version older than MLflow 2.2.1 may be vulnerable to a remote file existence check exploit if they are not limiting who can query their server for...

CVE-2022-43782

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the usermanagement path. This vulnerability can only be exploited by IPs specified under the...

Path traversal

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the usermanagement path. This vulnerability can only be exploited by IPs specified under the...

CVE-2022-43782

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the usermanagement path. This vulnerability can only be exploited by IPs specified under the...

CVE-2022-43782

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the usermanagement path. This vulnerability can only be exploited by IPs specified under the...

Crowd DC Critical Security Misconfiguration Vulnerability - CVE-2022-43782

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and call privileged endpoints in Crowd's REST API under the usermanagement path. This vulnerability can only be exploited by IPs specified under the crowd application...

Gitlab -- multiple vulnerabilities

Gitlab reports: Revoke access to confidential notes todos Pipeline subscriptions trigger new pipelines with the wrong author Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email Import via git protocol allows to...

FreeBSD : Gitlab -- multiple vulnerabilities (f414d69f-e43d-11ec-9ea4-001b217b3468)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the f414d69f-e43d-11ec-9ea4-001b217b3468 advisory. - Gitlab reports: Account take over via SCIM email change Stored XSS in Jira integration Quick...

Gitlab -- multiple vulnerabilities

Gitlab reports: Account take over via SCIM email change Stored XSS in Jira integration Quick action commands susceptible to XSS IP allowlist bypass when using Trigger tokens IP allowlist bypass when using Project Deploy Tokens Improper authorization in the Interactive Web Terminal Subgroup member...