Lucene search
+L

379 matches found

Cvelist
Cvelist
added 2026/01/12 9:54 p.m.26 views

CVE-2026-22794 Account Takeover Vulnerability in Appsmith

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be...

9.6CVSS0.00393EPSS
Exploits3References2
CVE
CVE
added 2026/01/12 9:54 p.m.24 views

CVE-2026-22794

Appsmith prior to version 1.93 is vulnerable to Origin header injection. The server previously used the Origin value from request headers as the base URL for password reset and email verification links without validation, allowing an attacker who controls Origin to craft links that point to the a...

9.6CVSS6.7AI score0.00393EPSS
Exploits3References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/12 9:54 p.m.3 views

CVE-2026-22794 Account Takeover Vulnerability in Appsmith

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be...

9.6CVSS6.7AI score0.00393EPSS
Exploits3References2
EUVD
EUVD
added 2026/01/12 9:54 p.m.8 views

EUVD-2026-1997

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be...

9.6CVSS6.6AI score0.00393EPSS
Exploits3References2
OSV
OSV
added 2026/01/12 9:54 p.m.6 views

CVE-2026-22794 Account Takeover Vulnerability in Appsmith

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be...

9.6CVSS7AI score0.00393EPSS
Exploits3References4
OSV
OSV
added 2026/01/12 9:30 a.m.4 views

GHSA-PGQP-8H46-6X4J MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

8.1CVSS6.8AI score0.00193EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/01/12 9:30 a.m.10 views

MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

8.1CVSS6.9AI score0.00193EPSS
Exploits1References5Affected Software1
NVD
NVD
added 2026/01/12 9:15 a.m.9 views

CVE-2025-14279

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

8.1CVSS0.00193EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/01/12 8:15 a.m.30 views

CVE-2025-14279 DNS Rebinding Vulnerability in mlflow/mlflow

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

8.1CVSS0.00193EPSS
Exploits1References2
CVE
CVE
added 2026/01/12 8:15 a.m.45 views

CVE-2025-14279

The CVE details a DNS rebinding vulnerability in MLflow up to version 3.4.0 caused by lack of Origin header validation in the MLflow REST server. The issue allows an attacker to bypass Same-Origin Policy and issue unauthorized requests to REST endpoints, enabling querying, updating, and deleting ...

8.1CVSS7.8AI score0.00193EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/01/12 8:15 a.m.5 views

CVE-2025-14279 DNS Rebinding Vulnerability in mlflow/mlflow

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

8.1CVSS7.2AI score0.00193EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/01/12 12:0 a.m.14 views

PT-2026-2309

Appsmith and Affected Versions Appsmith versions prior to 1.93 Description Appsmith, a platform for building admin panels and internal tools, has a critical issue where the server uses the Origin header from requests without proper validation when generating email links for password resets and...

9.6CVSS5.9AI score0.00393EPSS
Exploits3References26
CNNVD
CNNVD
added 2026/01/12 12:0 a.m.7 views

Appsmith 访问控制错误漏洞

Appsmith is an open source platform from Appsmith Open Source for building, deploying and maintaining internal applications. An Access Control Error vulnerability exists in Appsmith versions prior to 1.93 that stems from the server using the Origin value in the request header as the baseUrl of an...

9.6CVSS6.5AI score0.00393EPSS
Exploits3References2
Positive Technologies
Positive Technologies
added 2026/01/12 12:0 a.m.6 views

PT-2026-1734

Name of the Vulnerable Software and Affected Versions MLFlow versions up to and including 3.4.0 Description MLFlow versions up to and including 3.4.0 are susceptible to DNS rebinding attacks because of missing Origin header validation within the MLFlow REST server. This allows malicious websites ...

8.1CVSS7.9AI score0.00193EPSS
Exploits1References16
CNNVD
CNNVD
added 2026/01/12 12:0 a.m.7 views

MLflow 访问控制错误漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. An Access Control Error vulnerability exists in MLflow 3.4.0 and prior versions, which stems from a la...

8.1CVSS7.9AI score0.00193EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/01/10 5:46 a.m.30 views

CVE-2026-22689 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails

Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicio...

6.5CVSS0.00208EPSS
Exploits2References2
CNNVD
CNNVD
added 2026/01/10 12:0 a.m.7 views

Mailpit 安全漏洞

Mailpit is an email testing tool from the individual developer Ralph Slooten. A security vulnerability exists in Mailpit versions prior to 1.28.2, which stems from a lack of Origin header validation in the WebSocket server and could lead to cross-site WebSocket hijacking and data leakage...

6.5CVSS6.2AI score0.00208EPSS
Exploits2References2
Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.15 views

PT-2026-2243

Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.28.2 Description Mailpit, an email testing tool and API for developers, contains a Cross-Site WebSocket Hijacking CSWSH issue in its WebSocket server. The server, in versions prior to 1.28.2, does not validate the...

6.5CVSS6.5AI score0.00208EPSS
Exploits2References13
RedhatCVE
RedhatCVE
added 2026/01/08 8:55 a.m.8 views

CVE-2025-9611

Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended...

7.2CVSS6.6AI score0.01148EPSS
Exploits0References1
CVE
CVE
added 2026/01/08 1:20 a.m.31 views

CVE-2026-21883

Bokeh server (Python) CVE-2026-21883 affects 3.8.1 and earlier. Incomplete origin validation in WebSockets due to a flawed host matching in the allowlist enables an attacker to lure a victim to a malicious domain (e.g., dashboard.corp.attacker.com) and initiate a WebSocket connection, potentially...

7.4CVSS6.3AI score0.00159EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder