Open WebUI: Cross-origin postMessage confirmation bypass via action:submit

Summary The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthoriz...

CVE-2026-34373

Parse Server’s GraphQL API endpoint prior to versions 8.6.66 and 9.7.0-alpha.10 does not respect the allowOrigin setting, unconditionally allowing cross-origin requests from any website and bypassing configured origin restrictions. The REST API enforces allowOrigin correctly. A fix is available i...

PT-2026-29167

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.66 Parse Server versions prior to 9.7.0-alpha.10 Description Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where the GraphQL API endpoint does not enforce the...

Improper Access Control

agentapi is vulnerable to an Improper Access Control. The vulnerability is due to client-side DNS rebinding when the API is served over plain HTTP on localhost, where an attacker can bypass origin restrictions and access the /messages endpoint, and attackers can exploit this to exfiltrate sensiti...

EUVD-2013-2773

Malware in sbrugna...

EUVD-2016-6143

Malware in sbrugna...

EUVD-2013-2774

Malware in sbrugna...

EUVD-2016-3893

Malware in sbrugna...

CVE-2020-36851

Rob -- W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets SSRF. Because the proxy forwards requests and headers, an attacker can reach internal-only endpoints and link-local metadata services...

PT-2025-39389

Name of the Vulnerable Software and Affected Versions cors-anywhere affected versions not specified Description Instances of cors-anywhere configured as an open proxy permit unauthenticated external users to initiate HTTP requests to arbitrary targets, leading to Server-Side Request Forgery SSRF...

CVE-2013-2835

Google Chrome OS before 26.0.1410.57 does not properly enforce origin restrictions for the O3D and Google Talk plug-ins, which allows remote attackers to bypass the domain-whitelist protection mechanism via a crafted web site, a different vulnerability than CVE-2013-2834...

CVE-2013-2834

Google Chrome OS before 26.0.1410.57 does not properly enforce origin restrictions for the O3D and Google Talk plug-ins, which allows remote attackers to bypass the domain-whitelist protection mechanism via a crafted web site, a different vulnerability than CVE-2013-2835...

Improper Input Validation

github.com/gin-contrib/cors is vulnerable to Improper Input Validation. The vulnerability is caused due to improper handling of wildcards in origin strings in the parseWildcardRules function within the cors.go file. This allows an attacker to bypass origin restrictions by using similar but...

CVE-2024-29203 TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes

TinyMCE is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by...

openSUSE: Security Advisory for MozillaThunderbird (SUSE-SU-2023:3228-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

RLSA-2023:4499 Important: thunderbird security update

Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.14.0. Security Fixes: Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions CVE-2023-4045 Mozilla: Incorrect value used during WASM compilation CVE-2023-4046 Mozilla:...

RLSA-2023:4468 Important: firefox security update

TODO: add package description This update upgrades Firefox to version 102.14.0 ESR. Security Fixes: Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions CVE-2023-4045 Mozilla: Incorrect value used during WASM compilation CVE-2023-4046 Mozilla: Potential permissions request bypa...

Important: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update ...

Important: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...

RHEL 8 : thunderbird (RHSA-2023:4500)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:4500 advisory. Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.14.0. Security Fixes: Mozilla...