CVE-2026-41057 AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8...

Permissive Cross-domain Policy with Untrusted Domains

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the allowOrigin function. An attacker can gain unauthorized access to user accounts by exploiting...

MiracleLinux 8 : go-toolset:rhel8 (AXSA:2025-10572:03)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10572:03 advisory. net/http: Sensitive headers not cleared on cross-origin redirect in net/http CVE-2025-4673 Tenable has extracted the preceding description block directly fr...

CVE-2025-63388

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any...

AlmaLinux 10 : opentelemetry-collector (ALSA-2025:16432)

The remote AlmaLinux 10 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2025:16432 advisory. net/http: Sensitive headers not cleared on cross-origin redirect in net/http CVE-2025-4673 Tenable has extracted the preceding description block directly from th...

EUVD-2018-7280

Malware in sbrugna...

AlmaLinux 9 : opentelemetry-collector (ALSA-2025:15887)

The remote AlmaLinux 9 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2025:15887 advisory. net/http: Sensitive headers not cleared on cross-origin redirect in net/http CVE-2025-4673 Tenable has extracted the preceding description block directly from the...

ALSA-2025:15887 Moderate: opentelemetry-collector security update

Collector with the supported components for a AlmaLinux build of OpenTelemetry Security Fixes: net/http: Sensitive headers not cleared on cross-origin redirect in net/http CVE-2025-4673 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other...

USN-7706-1: Ceph vulnerabilities

It was discovered that Ceph incorrectly handled read-only permissions. An authenticated attacker could use this issue to obtain dm-crypt encryption keys. This issue only affected Ubuntu 14.04 LTS. CVE-2018-14662 Sergey Bobrov discovered that Ceph’s RadosGW Ceph Object Gateway allowed the injectio...

Medium: runc

Issue Overview: Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. CVE-2025-22874 Proxy-Authorization and Proxy-Authenticate headers...

Security update for go1.24-openssl

This update for go1.24-openssl fixes the following issues: Update to version 1.24.4 bsc1236217: CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation bsc1244158. CVE-2025-0913 os: inconsistent handling of OCREATE|OEXCL on Unix and Windows bsc1244157. CVE-2025-4673 net/http:...

CVE-2025-30360

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The Origin header is checked to prevent Cross-si...

CVE-2024-8026

A Cross-Site Request Forgery CSRF vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating,...

Oracle Linux 8 : nodejs:20 (ELSA-2023-7205)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-7205 advisory. - Fixes CVE-2023-44487 nghttp Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus...

handlers 访问控制错误漏洞

handlers is an open source collection of useful middleware for HTTP services and web applications from Gorilla Web Toolkit. A security vulnerability exists in handlers, which stems from a CORS handler that uses incorrect CORS headers...

CVE-2022-22757

Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.. This vulnerability affect...

Default configuration

Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.. This vulnerability affect...

CVE-2022-22757

Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.. This vulnerability affect...

Design/Logic Flaw

Brave before 1.34, when a Private Window with Tor Connectivity is used, leaks .onion URLs in Referer and Origin headers. NOTE: although this was fixed by Brave, the Brave documentation still advises "Note that Private Windows with Tor Connectivity in Brave are just regular private windows that us...

CVE-2022-30334

Brave before 1.34, when a Private Window with Tor Connectivity is used, leaks .onion URLs in Referer and Origin headers. NOTE: although this was fixed by Brave, the Brave documentation still advises "Note that Private Windows with Tor Connectivity in Brave are just regular private windows that us...