Lucene search
+L

46 matches found

Snyk
Snyk
added 2026/07/03 7:13 p.m.3 views

Improper Input Validation

Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Improper Input Validation through the host-validation process. An attacker can cause t...

6.9CVSS6AI score0.00308EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 1:52 p.m.5 views

SUSE-SU-2026:2725-1 Security update for python-tornado6

This update for python-tornado6 fixes the following issues - CVE-2026-49853: authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient bsc1268395. - CVE-2026-49854: out-of-bounds memory access via C extension bsc1268396. - CVE-2026-49855: AsyncHTTPClient accumulates...

7.7CVSS5.9AI score0.00691EPSS
Exploits0References7
GitLab Advisory Database
GitLab Advisory Database
added 2026/07/02 12:0 a.m.13 views

9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING

The fix for CVE-2026-46339 unauthenticated RCE via unprotected MCP plugin routes introduced a local-only access gate in src/dashboardGuard.js that restricts spawn-capable routes /api/mcp/, /api/tunnel/, /api/cli-tools/ to loopback requests. The gate determines "local" by inspecting the Host and...

10CVSS5.8AI score0.04572EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/06/01 8:22 a.m.8 views

OPENSUSE-SU-2026:20861-1 Security update for python-urllib3

This update for python-urllib3 fixes the following issue - CVE-2026-44431: sensitive information disclosure due to sensitive headers being forwarded across origins in proxied low-level redirects bsc1265267...

8.2CVSS5.8AI score0.00527EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/21 10:37 p.m.47 views

CVE-2026-41057 AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8...

7.1CVSS0.00132EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/17 7:52 p.m.3 views

Permissive Cross-domain Policy with Untrusted Domains

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the allowOrigin function. An attacker can gain unauthorized access to user accounts by exploiting...

8.6CVSS5.8AI score0.00345EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2026/01/13 12:0 a.m.5 views

MiracleLinux 8 : go-toolset:rhel8 (AXSA:2025-10572:03)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10572:03 advisory. net/http: Sensitive headers not cleared on cross-origin redirect in net/http CVE-2025-4673 Tenable has extracted the preceding description block directly fr...

6.8CVSS6.4AI score0.0056EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/12/18 12:0 a.m.30 views

CVE-2025-63388

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any...

0.002EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2025/10/09 12:0 a.m.3 views

AlmaLinux 10 : opentelemetry-collector (ALSA-2025:16432)

The remote AlmaLinux 10 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2025:16432 advisory. net/http: Sensitive headers not cleared on cross-origin redirect in net/http CVE-2025-4673 Tenable has extracted the preceding description block directly from th...

6.8CVSS6.5AI score0.0056EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-7280

Malware in sbrugna...

8.8CVSS7.1AI score0.00481EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2025/09/18 12:0 a.m.6 views

AlmaLinux 9 : opentelemetry-collector (ALSA-2025:15887)

The remote AlmaLinux 9 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2025:15887 advisory. net/http: Sensitive headers not cleared on cross-origin redirect in net/http CVE-2025-4673 Tenable has extracted the preceding description block directly from the...

6.8CVSS6.5AI score0.0056EPSS
Exploits0References3
OSV
OSV
added 2025/09/16 12:0 a.m.6 views

ALSA-2025:15887 Moderate: opentelemetry-collector security update

Collector with the supported components for a AlmaLinux build of OpenTelemetry Security Fixes: net/http: Sensitive headers not cleared on cross-origin redirect in net/http CVE-2025-4673 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other...

6.8CVSS6.8AI score0.0056EPSS
Exploits0References4
Ubuntu
Ubuntu
added 2025/08/20 5:36 a.m.12 views

USN-7706-1: Ceph vulnerabilities

It was discovered that Ceph incorrectly handled read-only permissions. An authenticated attacker could use this issue to obtain dm-crypt encryption keys. This issue only affected Ubuntu 14.04 LTS. CVE-2018-14662 Sergey Bobrov discovered that Ceph’s RadosGW Ceph Object Gateway allowed the injectio...

6.5CVSS6.5AI score0.01612EPSS
Exploits0
Amazon
Amazon
added 2025/07/10 12:0 a.m.6 views

Medium: runc

Issue Overview: Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. CVE-2025-22874 Proxy-Authorization and Proxy-Authenticate headers...

7.5CVSS6.8AI score0.0056EPSS
Exploits0
SUSE Linux
SUSE Linux
added 2025/06/26 8:22 a.m.4 views

Security update for go1.24-openssl

This update for go1.24-openssl fixes the following issues: Update to version 1.24.4 bsc1236217: CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation bsc1244158. CVE-2025-0913 os: inconsistent handling of OCREATE|OEXCL on Unix and Windows bsc1244157. CVE-2025-4673 net/http:...

8.9CVSS7.2AI score0.0056EPSS
Exploits0References16
NVD
NVD
added 2025/06/03 6:15 p.m.28 views

CVE-2025-30360

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The Origin header is checked to prevent Cross-si...

6.5CVSS0.00289EPSS
Exploits1References4
OSV
OSV
added 2025/03/20 10:15 a.m.6 views

CVE-2024-8026

A Cross-Site Request Forgery CSRF vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating,...

8.1CVSS7.3AI score0.00228EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2023/11/22 12:0 a.m.49 views

Oracle Linux 8 : nodejs:20 (ELSA-2023-7205)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-7205 advisory. - Fixes CVE-2023-44487 nghttp Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus...

9.8CVSS7.3AI score0.99999EPSS
Exploits19References7
CNNVD
CNNVD
added 2022/12/27 12:0 a.m.6 views

handlers 访问控制错误漏洞

handlers is an open source collection of useful middleware for HTTP services and web applications from Gorilla Web Toolkit. A security vulnerability exists in handlers, which stems from a CORS handler that uses incorrect CORS headers...

9.8CVSS7.8AI score0.00699EPSS
Exploits0References4
NVD
NVD
added 2022/12/22 8:15 p.m.21 views

CVE-2022-22757

Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.. This vulnerability affect...

6.5CVSS0.00233EPSS
Exploits0References2
Rows per page
Query Builder