Lucene search
K

77 matches found

CVE
CVE
added 2026/03/26 5:26 p.m.16 views

CVE-2026-33495

CVE-2026-33495 affects ORY Oathkeeper. Prior to version 26.2.0, Oathkeeper could incorrectly trust the X-Forwarded-* headers when evaluating access rules, due to the serve.proxy.trust_forwarded_headers setting being ignored. This could allow an attacker with distinct HTTP/HTTPS rules to trigger t...

6.5CVSS5.8AI score0.00233EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:50 p.m.5 views

Ory Oathkeeper has an authentication bypass by usage of untrusted header

Description Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the request to the Oathkeeper proxy with a different protocol http vs. https than the original request. In order to properly match the...

6.5CVSS5.8AI score0.00233EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/03/20 8:50 p.m.2 views

Missing Authorization

Overview github.com/ory/oathkeeper/proxy is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules Affected versions of this package are vulnerable to Missing Authorization in the evaluation of the X-Forwarded-Proto header due to...

6.9CVSS5.8AI score0.00233EPSS
Exploits0References2
OSV
OSV
added 2026/02/26 8:47 a.m.5 views

BIT-MONGODB-2026-1848 Connections received from the proxy port may not count towards total accepted connections

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header...

8.2CVSS5.5AI score0.00263EPSS
Exploits0References2
NVD
NVD
added 2026/02/10 7:15 p.m.5 views

CVE-2026-1848

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header...

8.2CVSS0.00263EPSS
Exploits0References1
OSV
OSV
added 2026/02/10 7:15 p.m.2 views

CVE-2026-1848

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header...

8.2CVSS5.9AI score
Exploits0References1
OSV
OSV
added 2026/02/10 7:15 p.m.5 views

UBUNTU-CVE-2026-1848

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header...

8.2CVSS5.8AI score0.00263EPSS
Exploits0References3
MongoDB
MongoDB
added 2026/02/10 6:22 p.m.11 views

Connections received from the proxy port may not count towards total accepted connections

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header...

8.2CVSS5.5AI score0.00263EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/02/10 6:22 p.m.27 views

CVE-2026-1848 Connections received from the proxy port may not count towards total accepted connections

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header...

8.2CVSS0.00263EPSS
Exploits0References1
CVE
CVE
added 2026/02/10 6:22 p.m.25 views

CVE-2026-1848

CVE-2026-1848 affects a MongoDB component where connections received via the proxy port are not counted toward the total accepted connections while the proxy protocol header is pending. This can allow the server to reach resource limits, potentially causing crashes when the total connections exce...

8.2CVSS5.5AI score0.00263EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/10 12:0 a.m.8 views

PT-2026-7421

Name of the Vulnerable Software and Affected Versions Connections affected versions not specified Description The system may not accurately count connections received through the proxy port, specifically when a proxy protocol header is present. This can lead to the server exceeding its connection...

8.2CVSS5.4AI score0.00263EPSS
Exploits0References8
OSV
OSV
added 2025/12/19 11:15 a.m.7 views

BIT-MONGODB-2025-14847 Zlib compressed protocol header length confusion may allow memory read

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3,...

8.7CVSS6.9AI score0.83007EPSS
Exploits39References4
Veracode
Veracode
added 2025/11/28 5:57 a.m.12 views

Server-Side Request Forgery (SSRF)

Astro is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insecure and unsanitized use of the x-forwarded-proto and x-forwarded-port headers when constructing URLs, which allows an attacker to manipulate these headers to bypass protected routes, poison caches, trigger...

6.5CVSS7.1AI score0.01112EPSS
Exploits1References5Affected Software1
Vulnrichment
Vulnrichment
added 2025/11/13 3:58 p.m.2 views

CVE-2025-64525 Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass

Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are:...

6.5CVSS6.1AI score0.01112EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2025/10/27 12:0 a.m.8 views

Siemens SIMATIC, SCALANCE and RUGGEDCOM Devices Use of Uninitialized Resource (CVE-2024-50033)

In the Linux kernel, the following vulnerability has been resolved: slip: make slhcremember more robust against malicious packets syzbot found that slhcremember was missing checks against malicious packets 1. slhcremember only checked the size of the packet was at least 20, which is not good...

7.1CVSS6.3AI score0.00272EPSS
Exploits0References5
OSV
OSV
added 2025/09/25 2:0 p.m.7 views

CVE-2025-59426 lobe-chat has an Open Redirect

Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a...

4.3CVSS6.7AI score0.00301EPSS
Exploits1References5
OSV
OSV
added 2025/09/24 9:34 p.m.3 views

GHSA-XPH5-278P-26QX lobe-chat has an Open Redirect

Description --- Vulnerability Overview The project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-...

4.3CVSS7AI score0.00301EPSS
Exploits1References5
Snyk
Snyk
added 2025/08/09 1:46 a.m.3 views

Regular Expression Denial of Service (ReDoS)

Overview @oakserver/oak is an A middleware framework for handling HTTP requests Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the x-forwarded-proto or x-forwarded-for headers. An attacker can cause significant performance degradation by sending...

6.9CVSS6.7AI score0.00362EPSS
Exploits0References2
CVE
CVE
added 2025/01/30 7:17 p.m.47 views

CVE-2024-10604

CVE-2024-10604 affects Fuchsia’s network header field generation algorithms. Vulnerable components include the TCP Initial Sequence Number (ISN), TCP timestamp, TCP/UDP source ports, and IPv4/IPv6 fragment IDs, which can be guessed under certain circumstances. The available connected sources iden...

6.9CVSS6.6AI score0.00223EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2024/12/24 6:41 p.m.8 views

CLSA-2024-1735065713 Fix CVE(s): CVE-2023-28708

SECURITY UPDATE: Missing secure attribute in session cookies when using RemoteIpFilter with X-Forwarded-Proto header set to https - debian/patches/CVE-2023-28708.patch: Fix JSessionId secure attribute missing when RemoteIpFilter determines request submitted via secure channel - CVE-2023-28708...

4.3CVSS6.8AI score0.01831EPSS
Exploits0References1
Rows per page
Query Builder