CVE-2026-36604

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...

EUVD-2026-34143

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...

CVE-2026-42283 DevSpace UI Server WebSocket CheckOrigin does not validate source

DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the...

WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators

Summary objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check Origin/Referer. Because AVideo intentionally sets...

EUVD-2026-13766

mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled MCPHTTPENABLED=true, the application configures FastAPI's CORSMiddleware with alloworigins='', allowcredentials=True, allowmethods="", and allowheaders="". The...

PT-2026-7613

Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener'message', ... handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on...

EUVD-2016-5661

Malware in sbrugna...

EUVD-2017-0359

Malware in sbrugna...

EUVD-2021-23361

Malware in sbrugna...

EUVD-2018-4332

Malware in sbrugna...

EUVD-2021-2580

Malware in sbrugna...

EUVD-2019-3432

Malware in sbrugna...

EUVD-2025-13306

Malicious code in bioql PyPI...

EUVD-2023-29648

Malicious code in bioql PyPI...

UBUNTU-CVE-2025-4215

A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to laun...

CVE-2025-4215

CVE-2025-4215 affects gorhill uBlock Origin up to 1.63.3b16, specifically the UI function currentStateChanged in src/js/1p-filters.js. The issue is described as an inefficient regular expression pattern used in filters, which can be triggered remotely and carries a relatively high attack complexi...

CVE-2025-23086

On most desktop platforms, Brave Browser versions 1.70.x-1.73.x included a feature to show a site's origin on the OS-provided file selector dialog when a site prompts the user to upload or download a file. However the origin was not correctly inferred in some cases. When combined with an open...

RockyLinux 8 : python3.12-urllib3 (RLSA-2024:8842)

The remote RockyLinux 8 host has a package installed that is affected by a vulnerability as referenced in the RLSA-2024:8842 advisory. urllib3: proxy-authorization request header is not stripped during cross-origin redirects CVE-2024-37891 Tenable has extracted the preceding description block...

OESA-2024-2319 firefox security update

Mozilla Firefox is a standalone web browser, designed for standards compliance and performance. Its functionality can be enhanced via a plethora of extensions. Security Fixes: A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability...

CVE-2022-31151 Uncleared cookies on cross-host/cross-origin redirect in undici

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or...