Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

8 matches found

OSV
OSVadded 2026/06/19 1:53 p.m.7 views

GHSA-6M68-R693-78QX Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream

Summary The Tilt HUD WebSocket /ws/view is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an Origin header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer's session state...

8.3CVSS5.8AI score
Exploits0References4
RedhatCVE
RedhatCVEadded 2026/06/05 7:10 p.m.10 views

CVE-2026-35589

nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking CSWSH vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the binding from 0.0.0.0 to...

9.3CVSS5.5AI score0.0016EPSS
Exploits1References1
EUVD
EUVDadded 2026/03/23 11:44 p.m.2 views

EUVD-2026-14643

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...

7.1CVSS5.8AI score0.00178EPSS
Exploits0References2
CVE
CVEadded 2026/01/08 1:20 a.m.22 views

CVE-2026-21883

Bokeh server (Python) CVE-2026-21883 affects 3.8.1 and earlier. Incomplete origin validation in WebSockets due to a flawed host matching in the allowlist enables an attacker to lure a victim to a malicious domain (e.g., dashboard.corp.attacker.com) and initiate a WebSocket connection, potentially...

7.4CVSS6.3AI score0.00159EPSS
Exploits1References3Affected Software1
EUVD
EUVDadded 2025/10/07 12:30 a.m.5 views

EUVD-2017-17298

Malware in sbrugna...

8.8CVSS8.8AI score0.02597EPSS
Exploits1References5
Debian CVE
Debian CVEadded 2025/08/29 3:55 p.m.12 views

CVE-2025-47909

Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin...

7.3CVSS5.3AI score0.00159EPSS
Exploits0
SUSE CVE
SUSE CVEadded 2023/02/15 5:18 a.m.4 views

SUSE CVE-2015-3658

The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly consider redirects during decisions about sending an Origin header, which makes it easier for remote attackers to...

6.8CVSS6.2AI score0.01998EPSS
Exploits0References3
Prion
Prionadded 2019/06/18 9:15 p.m.21 views

Design/Logic Flaw

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of executing various actions on the web management interface. It seems that the device does not implement any Origin header check which allows an...

6.8CVSS8.8AI score0.02597EPSS
Exploits1References3Affected Software3
Rows per page
Query Builder