94 matches found
CVE-2026-58122 Hermes WebUI < 0.51.307 Authentication Bypass via X-Forwarded-For Header Spoofing
Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to...
Malicious code in local-ip-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5741cea5f57c51246c2944fda4ecf601f191b482e5c6effa22b640f8701a00e8 index.js imports childprocess and calls execSync with bash and zsh lines 301 and 317. Without further context, it is unclear whether these invocation...
MAL-2026-6282 Malicious code in local-ip-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5741cea5f57c51246c2944fda4ecf601f191b482e5c6effa22b640f8701a00e8 index.js imports childprocess and calls execSync with bash and zsh lines 301 and 317. Without further context, it is unclear whether these invocation...
CVE-2026-45561
CVE-2026-45561 affects Roxy-WI web interface (versions 8.2.6.4 and earlier) and allows SSRF via the /smon/agent/{version,uptime,status,checks}/ endpoints. The path component is passed verbatim into requests.get("http://{server_ip}:{agent_port}/...") and is only constrained by Flask’s default URL ...
Astra Linux - уязвимость в cloud-init
When a non-x86 platform is detected, cloud-init grants root access to a hardcoded URL with a local IP address. To prevent this, cloud-init’s default configurations disable platform enumeration...
FreeScout 1.8.206 Network Reachability and HTTP Security Audit Scanner
The provided PHP script is a network reconnaissance and auditing tool designed to scan a local IP range and identify reachable hosts potentially running web services such as FreeScout...
CVE-2021-22970
Concrete CMS formerly concrete5 versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb. SS...
EulerOS 2.0 SP10 : cloud-init (EulerOS-SA-2025-2408)
According to the versions of the cloud-init package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this,cloud-init defau...
EUVD-2021-2351
Malware in sbrugna...
EUVD-2020-4259
Malware in sbrugna...
EUVD-2025-7318
Malicious code in bioql PyPI...
EUVD-2025-28984
Malicious code in bioql PyPI...
EUVD-2024-3353
Malicious code in bioql PyPI...
EUVD-2024-33023
Malicious code in bioql PyPI...
EUVD-2023-2458
Malicious code in bioql PyPI...
cloud-init: Cloud init permissions flaw
An access permissions flaw was found in cloud-init. When a non-x86 platform is detected, cloud-init grants root access to a hardcoded URL with a local IP address, which creates a security exposure...
cloud-init: Cloud init permissions flaw
An access permissions flaw was found in cloud-init. When a non-x86 platform is detected, cloud-init grants root access to a hardcoded URL with a local IP address, which creates a security exposure...
Amazon Linux 2023 : cloud-init, cloud-init-cfg-ec2, cloud-init-cfg-onprem (ALAS2023-2025-1082)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1082 advisory. When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration...
AZL-64374 CVE-2024-6174 affecting package cloud-init for versions less than 23.3-7
When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration...
CVE-2024-6174
When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration...