CVE-2026-56232

Capgo before 12.128.2 fails to enforce limitedtoorgs and limitedtoapps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the...

EUVD-2026-35348

A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the...

Zephyr 安全漏洞

Zephyr is an open-source, scalable real-time operating system RTOS developed by Zephyr. There is a security vulnerability in Zephyr, which stems from memory corruption in the WebSocket upgrade path of the HTTP server. This vulnerability could allow remote, unauthenticated attackers to trigger...

PT-2026-47689

Name of the Vulnerable Software and Affected Versions Zephyr affected versions not specified Description A remote, unauthenticated attacker can cause memory corruption in the HTTP server WebSocket upgrade path. The issue occurs because the HTTP/1 header parser uses a bounded copy to move the...

CVE-2026-3718

The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'MWP-Key-Name' HTTP request header in all versions up to, and including, 4.9.31. This is due to insufficient input sanitization and output escaping of attacker-controlled header values. This makes it...

CVE-2026-42449

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path N8NDocumentationMCPServer constructor, getN8nApiClient, and validateInstanceContext, the synchronous URL validator in...

PUB-A-485031572

In iavbparsekeydata of avbrsa.c, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-8890

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is...

PT-2026-43378

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is...

CVE-2026-45339

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-...

CVE-2026-45339

Open WebUI (self-hosted offline AI platform) has a vulnerability where endpoint access restrictions on API keys could be bypassed by using the x-api-key header, even when the key was restricted from sensitive endpoints like /api/v1/messages. Prior to version 0.9.0, requests with Authorization: Be...

CVE-2026-45339

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-...

PT-2026-41174

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description An issue exists where administrators' restrictions on API endpoint access can be bypassed. While requests using the Authorization: Bearer header are correctly blocked when restricted from the...

GHSA-56C3-VFP2-5QQJ n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders

Impact In the SDK embedder path N8NDocumentationMCPServer constructor, getN8nApiClient, and validateInstanceContext, the synchronous URL validator in SSRFProtection.validateUrlSync had no IPv6 checks. IPv4-mapped IPv6 addresses such as http://::ffff:169.254.169.254 bypassed the cloud-metadata,...

CVE-2026-40525

OpenViking prior to commit c7bb167 contains an authentication bypass in the VikingBot OpenAPI HTTP route surface. If api_key is unset or empty, authentication checks fail and remote attackers with network access can invoke privileged bot-control functionality without a valid X-API-Key header, inc...

EUVD-2026-14599

OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intend...

curl: CURLOPT_UNRESTRICTED_AUTH Dangerous Default Documentation Gap

Summary: CURLOPTUNRESTRICTEDAUTH=1 instructs libcurl to send credentials to ALL hosts during redirect chains, 'possibly again and again as the following hosts can keep redirecting to new hosts.' The documentation explicitly warns this is dangerous, but the default behavior is also risky: curl onl...

PT-2026-27245

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.7 Description OpenClaw’s fetchWithSsrFGuard... function improperly validates headers during cross-origin redirects, allowing custom authorization headers like X-Api-Key and Private-Token to be forwarded to a...

CVE-2026-22198

GestSup prior to 3.2.60 (with sources also citing up to 3.2.56 in ENISA EUVD) contains a pre-authentication stored XSS in the API error logging. An unauthenticated attacker can craft the X-API-KEY header (e.g., to /api/v1/ticket.php) to inject HTML/JavaScript into log entries; when an administrat...

CVE-2025-41714 Path Traversal via 'Upload-Key' in SmartEMS Upload Handling

The upload endpoint insufficiently validates the 'Upload-Key' request header. By supplying path traversal sequences, an authenticated attacker can cause the server to create upload-related artifacts outside the intended storage location. In certain configurations this enables arbitrary file write...