Lucene search
K

186 matches found

Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.4 views

PT-2026-29868

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to commit 8aceaf5 Description OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass in shell-bleed protection. This allows attackers to execute blocked script content by using piped or complex...

5.4CVSS6.1AI score0.00303EPSS
Exploits0References9
OSV
OSV
added 2026/03/26 10:9 p.m.6 views

GHSA-HFF2-GCPX-8F4P Apollo Router Core: Browser Bug Enables Bypass of XS-Search Prevention via Read-Only Cross-Site Request Forgery

Impact In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing CORS protocol, th...

6.3CVSS6AI score
Exploits0References6
OSV
OSV
added 2026/03/26 9:53 p.m.4 views

GHSA-9Q82-XGWF-VJ6H Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention

Impact In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing CORS protocol, an...

6.3CVSS6AI score
Exploits0References6
OSV
OSV
added 2026/03/11 12:21 a.m.5 views

GHSA-775H-3XRC-C228 Parse Server has a rate limit bypass via batch request endpoint

Impact Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle...

6.9CVSS5.8AI score0.00342EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/03/06 7:45 p.m.7 views

CVE-2025-64166

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...

5.4CVSS5.6AI score0.00159EPSS
Exploits1References1
OSV
OSV
added 2026/03/05 6:18 p.m.7 views

GHSA-V66J-6WWF-JC57 Mercurius: Incorrect Content-Type parsing can lead to CSRF attack

Summary A Cross-Site Request Forgery CSRF vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or...

5.4CVSS5.9AI score0.00159EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/03/05 6:18 p.m.9 views

Mercurius: Incorrect Content-Type parsing can lead to CSRF attack

Summary A Cross-Site Request Forgery CSRF vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or...

5.4CVSS5.9AI score0.00159EPSS
Exploits1References5Affected Software1
NVD
NVD
added 2026/03/05 4:16 p.m.6 views

CVE-2025-64166

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...

5.4CVSS0.00159EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/05 3:31 p.m.4 views

CVE-2025-64166

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...

5.4CVSS5.7AI score0.00159EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/05 3:31 p.m.5 views

CVE-2025-64166 Mercurius: Incorrect Content-Type parsing can lead to CSRF attack

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...

5.4CVSS5.7AI score0.00159EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/05 3:31 p.m.30 views

CVE-2025-64166 Mercurius: Incorrect Content-Type parsing can lead to CSRF attack

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...

5.4CVSS0.00159EPSS
Exploits1References3
OSV
OSV
added 2026/03/05 3:31 p.m.4 views

CVE-2025-64166 Mercurius: Incorrect Content-Type parsing can lead to CSRF attack

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...

5.4CVSS5.6AI score0.00159EPSS
Exploits1References5
CVE
CVE
added 2026/03/05 3:31 p.m.11 views

CVE-2025-64166

Mercurius (GraphQL adapter for Fastify) has a CSRF flaw prior to v16.4.0 caused by incorrect parsing of Content-Type headers. Requests with Content-Type like application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json, bypassing fetch() prefli...

5.4CVSS5.7AI score0.00159EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/05 12:0 a.m.8 views

PT-2026-23452

Name of the Vulnerable Software and Affected Versions Mercurius versions prior to 16.4.0 Description Mercurius, a GraphQL adapter for Fastify, was found to have a cross-site request forgery CSRF issue. The problem stems from the incorrect parsing of the Content-Type header in requests...

5.4CVSS5.6AI score0.00159EPSS
Exploits1References12
Github Security Blog
Github Security Blog
added 2026/02/03 8:49 p.m.8 views

Qwik City has a CSRF Protection Bypass via Content-Type Header Validation

Summary Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. Impact A vulnerability in checkCSRF lets an attacke...

5.9CVSS5.6AI score0.00159EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.13 views

PT-2026-6472

Summary Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. Impact A vulnerability in checkCSRF lets an attacke...

5.9CVSS5.6AI score0.00159EPSS
Exploits0References5
GithubExploit
GithubExploit
added 2025/12/10 2:0 p.m.189 views

Exploit for Improper Access Control in Shirt-Pocket Superduper\!

CVE-2025-61229 Description From the developer's blog:...

8.4CVSS7.1AI score0.00257EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/12/02 12:19 a.m.8 views

CVE-2025-61229

An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls...

8.4CVSS7AI score0.00116EPSS
Exploits1References1
EUVD
EUVD
added 2025/12/01 6:30 p.m.7 views

EUVD-2025-200025

An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls...

6.5AI score0.00116EPSS
Exploits1References4
NVD
NVD
added 2025/12/01 4:15 p.m.8 views

CVE-2025-61229

An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls...

8.4CVSS0.00116EPSS
Exploits1References2
Rows per page
Query Builder