CVE-2026-46356

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances...

CVE-2026-24000 Fleet has a rate limiting bypass via untrusted client IP headers

Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limitin...

Astra Linux - уязвимость в linux, linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: gtp: The network headers were pulled into gtpdevxmit. syzbot/KMSAN reported the use of uninitvalue in getdevxmit. 1 We must ensure that the IPv4 or IPv6 headers are pulled into skb-head before accessing fields within them. Use...

CVE-2026-29794

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of...

CVE-2025-51663

A vulnerability found in IPRateLimit implementation of FileCodeBox up to 2.2 allows remote attackers to bypass ip-based rate limit protection and failed attempt restrictions by faking X-Real-IP and X-Forwarded-For HTTP headers. This can enable attackers to perform DoS attacks or brute force share...

EUVD-2024-2505

Malicious code in bioql PyPI...

EUVD-2024-53171

Malicious code in bioql PyPI...

EUVD-2025-15258

Malicious code in bioql PyPI...

CVE-2023-5538

The MpOperationLogs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the IP Request Headers in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...

CVE-2024-8397

The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious...

CVE-2024-8397

The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious...

CVE-2024-8397

CVE-2024-8397 affects the WordPress plugin webtoffee-gdpr-cookie-consent (versions before 2.6.1). The root cause is improper sanitization/escaping of IP headers when logging, enabling a Stored XSS payload. The attack pattern is triggered when an admin visits the Consent report page, with the scri...

PT-2025-1236 · Ietf · Proposed Generic Udp Encapsulation

Name of the Vulnerable Software and Affected Versions: Proposed Generic UDP Encapsulation GUE IETF Draft affected versions not specified Description: The issue concerns the lack of validation or verification of the source of a network packet in the Proposed Generic UDP Encapsulation GUE IETF Draf...

IP Address Spoofing

serilog.enrichers.clientinfo is vulnerable to IP Spoofing. The vulnerability is caused due to a failure to validate IP address specified in X-Forwarded-For or Client-Ip headers. This allows attackers to falsify their IP addresses by specifying an arbitrary IP as a value of X-Forwarded-For or...

CVE-2022-1601

The User Access Manager WordPress plugin before 2.2.18 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible for attackers to access restricted content in certain situations...

CVE-2023-36456 Authentik lacks Proxy IP headers validation

authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy a...

CVE-2023-36456 Authentik lacks Proxy IP headers validation

authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy a...

GSD-2022-1007883 net: use struct_group to copy ip/ipv6 header addresses

net: use structgroup to copy ip/ipv6 header addresses This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.15.80 by commit...

zeek -- potential DoS vulnerabilities

Tim Wojtulewicz of Corelight reports: Fix an issue where a specially-crafted FTP packet can cause Zeek to spend large amounts of time attempting to search for valid commands in the data stream. Fix a possible overflow in the Zeek dictionary code that may lead to a memory leak. Fix an issue where ...

FreeBSD : zeek -- potential DoS vulnerabilities (60d4d31a-a573-41bd-8c1e-5af7513c1ee9)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 60d4d31a-a573-41bd-8c1e-5af7513c1ee9 advisory. - Tim Wojtulewicz of Corelight reports: Fix an issue where a specially-crafted FTP packet can cause Zee...