379 matches found
CVE-2026-22794 Account Takeover Vulnerability in Appsmith
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be...
CVE-2026-22794
Appsmith prior to version 1.93 is vulnerable to Origin header injection. The server previously used the Origin value from request headers as the base URL for password reset and email verification links without validation, allowing an attacker who controls Origin to craft links that point to the a...
CVE-2026-22794 Account Takeover Vulnerability in Appsmith
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be...
EUVD-2026-1997
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be...
CVE-2026-22794 Account Takeover Vulnerability in Appsmith
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be...
GHSA-PGQP-8H46-6X4J MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...
MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...
CVE-2025-14279
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...
CVE-2025-14279 DNS Rebinding Vulnerability in mlflow/mlflow
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...
CVE-2025-14279
The CVE details a DNS rebinding vulnerability in MLflow up to version 3.4.0 caused by lack of Origin header validation in the MLflow REST server. The issue allows an attacker to bypass Same-Origin Policy and issue unauthorized requests to REST endpoints, enabling querying, updating, and deleting ...
CVE-2025-14279 DNS Rebinding Vulnerability in mlflow/mlflow
MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...
PT-2026-2309
Appsmith and Affected Versions Appsmith versions prior to 1.93 Description Appsmith, a platform for building admin panels and internal tools, has a critical issue where the server uses the Origin header from requests without proper validation when generating email links for password resets and...
Appsmith 访问控制错误漏洞
Appsmith is an open source platform from Appsmith Open Source for building, deploying and maintaining internal applications. An Access Control Error vulnerability exists in Appsmith versions prior to 1.93 that stems from the server using the Origin value in the request header as the baseUrl of an...
PT-2026-1734
Name of the Vulnerable Software and Affected Versions MLFlow versions up to and including 3.4.0 Description MLFlow versions up to and including 3.4.0 are susceptible to DNS rebinding attacks because of missing Origin header validation within the MLFlow REST server. This allows malicious websites ...
MLflow 访问控制错误漏洞
MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. An Access Control Error vulnerability exists in MLflow 3.4.0 and prior versions, which stems from a la...
CVE-2026-22689 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails
Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicio...
Mailpit 安全漏洞
Mailpit is an email testing tool from the individual developer Ralph Slooten. A security vulnerability exists in Mailpit versions prior to 1.28.2, which stems from a lack of Origin header validation in the WebSocket server and could lead to cross-site WebSocket hijacking and data leakage...
PT-2026-2243
Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.28.2 Description Mailpit, an email testing tool and API for developers, contains a Cross-Site WebSocket Hijacking CSWSH issue in its WebSocket server. The server, in versions prior to 1.28.2, does not validate the...
CVE-2025-9611
Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended...
CVE-2026-21883
Bokeh server (Python) CVE-2026-21883 affects 3.8.1 and earlier. Incomplete origin validation in WebSockets due to a flawed host matching in the allowlist enables an attacker to lure a victim to a malicious domain (e.g., dashboard.corp.attacker.com) and initiate a WebSocket connection, potentially...