CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/04/02 12:0 a.m.•1 views

PT-2026-29921

Summary Rack::Utils.forwarded values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header such as: http Forwarded: for="127.0.0.1;host=evil.com;proto=https" can be interpreted by Rack a...

4.8CVSS5.9AI score0.00048EPSS

Exploits0References4

EUVD•added 2026/03/25 7:54 p.m.•2 views

EUVD-2026-14500

AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr...

5.3CVSS5.8AI score0.00029EPSS

Exploits1References3

Github Security Blog•added 2026/03/25 7:32 p.m.•2 views

fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

Summary When trustProxy is configured with a restrictive trust function e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including...

Exploits0References6Affected Software1

OSV•added 2026/03/25 7:32 p.m.•1 views

GHSA-444R-CWP2-X5XF fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

RedhatCVE•added 2026/03/23 5:10 p.m.•2 views

Exploits0References6

CVE-2026-3635

A flaw was found in fastify. When the trustProxy option is configured with a restrictive trust function, such as a specific IP, a subnet, a hop count or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection,...

6.1CVSS5.6AI score0.00012EPSS

Exploits0References5

Snyk•added 2026/03/23 1:53 p.m.•0 views

Use of Less Trusted Source

Overview fastify is an overhead web framework, for Node.js. Affected versions of this package are vulnerable to Use of Less Trusted Source in the request.protocol and request.host getters. An attacker can manipulate the perceived protocol and host by sending crafted X-Forwarded-Proto and...

Cvelist•added 2026/03/23 1:53 p.m.•19 views

CVE-2026-3635 Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function

6.1CVSS0.00012EPSS

ATTACKERKB•added 2026/03/23 1:53 p.m.•1 views

CVE-2026-3635

Vulnrichment•added 2026/03/23 1:53 p.m.•0 views

Exploits0References4

CVE-2026-3635 Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function

CVE•added 2026/02/23 12:0 a.m.•5 views

CVE-2025-71056

The CVE-2025-71056 entry concerns GCOM EPON 1GE ONU, version C00R371V00B01, with improper session management that allows session hijacking by spoofing the IP address of an authenticated user. The connected sources (NVD/CVE records) confirm the vulnerability description but do not provide specific...

8.1CVSS5.5AI score0.0004EPSS

NVD•added 2026/01/30 11:16 p.m.•4 views

CVE-2020-37056

Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and...

9.8CVSS0.00024EPSS

CVE•added 2026/01/26 10:5 a.m.•7 views

CVE-2025-59101

CVE-2025-59101 affects the dormakaba access manager web interface. The authentication model relies on per-request IP verification after a successful login, with no traditional session state stored. This enables an attacker to spoof a logged-in user’s IP to gain access, as there is no persistent s...

7.7CVSS5.9AI score0.00038EPSS

CNNVD•added 2026/01/05 12:0 a.m.•1 views

Devy Mega-Fence 安全漏洞

Devy Mega-Fence is a middleware for traffic control and online queuing from Devy Korea. A security vulnerability exists in Devy Mega-Fence versions 25.1.914 and earlier, which stems from trusting the X-Forwarded-For header value and could lead to client-side IP spoofing...

6.5CVSS6.6AI score0.0008EPSS

Exploits1References3

NVD•added 2026/01/01 7:15 p.m.•1 views

CVE-2025-69203

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against...

8.8CVSS0.00021EPSS

Exploits1References2

CNNVD•added 2025/12/09 12:0 a.m.•3 views

1Panel 安全漏洞

1Panel is an open source Linux server operations and management panel for the Chinese 1Panel community. A security vulnerability exists in 1Panel version 2.0.14 and earlier, which stems from trusting all proxy IPs and could lead to IP spoofing and security control bypass...

6.5CVSS6.3AI score0.00043EPSS

Positive Technologies•added 2025/12/06 12:0 a.m.•1 views

PT-2025-49336

The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle enqueue only function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary...

5.3CVSS6.1AI score0.00139EPSS

Exploits0References5

Tenable Nessus•added 2025/08/15 12:0 a.m.•5 views

Linux Distros Unpatched Vulnerability : CVE-2021-3772

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the...

6.5CVSS6.6AI score0.00164EPSS