CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 5 days ago•25 views

CVE-2026-47825 Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations

8.6CVSS0.00186EPSS

CVE•added 5 days ago•24 views

CVE-2026-47825

The CVE affects Spring Cloud Gateway Server components (WebMVC and WebFlux gateways) where headers from untrusted proxies (X-Forwarded-For, Forwarded) are forwarded in certain configurations. Root cause: forwarded-header handling without a trusted-proxy basis allows forged headers to reach downst...

8.6CVSS5.2AI score0.00186EPSS

Positive Technologies•added 5 days ago•16 views

PT-2026-49468

8.6CVSS5.2AI score0.00186EPSS

Snyk•added 2026/06/11 12:0 a.m.•3 views

Use of Less Trusted Source

Overview Affected versions of this package are vulnerable to Use of Less Trusted Source. Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded request headers it receives from untrusted proxies to downstream services. Both the WebFlux and WebMVC Gateway Servers process these...

8.6CVSS5.4AI score0.00186EPSS

RedHat Linux•added 2026/06/10 8:29 p.m.•3 views

undertow: Undertow: Request smuggling via inconsistent header parsing

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks,...

9.1CVSS5.4AI score0.00704EPSS

RedHat Linux•added 2026/06/10 8:29 p.m.•4 views

undertow: Undertow: Request smuggling via `\r\r\r` as a header block terminator

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending \r\r\r as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer,...

9.1CVSS5.4AI score0.00706EPSS

RedHat Linux•added 2026/06/10 8:25 p.m.•4 views

undertow: Undertow: Request smuggling via inconsistent header parsing

9.1CVSS5.4AI score0.00704EPSS

CNNVD•added 2026/06/10 12:0 a.m.•7 views

kafka-python 安全漏洞

Kafka-Python is a distributed stream processing engine client library written entirely in Python by Dana Powers. Versions of Kafka-Python prior to 2.3.2 contained security vulnerabilities. These vulnerabilities stemmed from the lack of boundary validation for the 4-byte frame length value in the...

8.7CVSS5.3AI score0.00352EPSS

Ivanti•added 2026/06/09 5:17 p.m.•19 views

CVE‑2026‑49975 – HTTP/2 Denial of Service Vulnerability

Status: EPMM unaffected Summary: CVE‑2026‑49975 is a denial‑of‑service DoS vulnerability affecting HTTP/2 implementations in several web servers. The issue allows an unauthenticated attacker to exhaust server memory using specially crafted HTTP/2 requests. EPMM / Sentry rely on Apache Tomcat for...

7.5CVSS5.5AI score0.01313EPSS

Exploits6

The Hacker News•added 2026/06/06 8:29 a.m.•27 views

Free Apps Are Turning Smart TVs Into Web-Scraping Proxies for AI

A researcher has reverse-engineered the iOS SDK that Bright Data embeds in consumer apps and documented how, with the user's consent, it can turn devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic for a data business Bright Data markets heavily to the AI...

5.5AI score

Exploits0

Fedora•added 2026/06/05 4:9 a.m.•10 views

[SECURITY] Fedora 43 Update: perl-HTTP-Tiny-0.094-1.fc43

This is a very simple HTTP/1.1 client, designed for doing simple GET requests without the overhead of a large framework like LWP::UserAgent. It is more correct and more complete than HTTP::Lite. It supports proxies currently only non-authenticating ones and redirection. It also correctly resumes...

6.5CVSS5.8AI score0.00227EPSS

Exploits0

CNNVD•added 2026/06/05 12:0 a.m.•2 views

Arista CloudVision eXchange 安全漏洞

Arista CloudVision eXchange is a control plane exchange platform developed by Arista Technologies in the United States, aimed at data centers and enterprise networks. There is a security vulnerability in Arista CloudVision eXchange. This vulnerability stems from EOS switches’ lack of flexibility...

7.1CVSS5.3AI score0.00235EPSS

CNNVD•added 2026/06/04 12:0 a.m.•3 views

WordPress plugin Zoner Real Estate 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

5.4CVSS5.2AI score0.00171EPSS

SUSE CVE•added 2026/06/02 1:37 a.m.•10 views

SUSE CVE-2026-46527

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::settrustedproxies with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid ...

8.7CVSS5.7AI score0.00283EPSS

Exploits1References3

Snyk•added 2026/06/01 9:0 p.m.•6 views

Malicious Package

Overview ishowfeet17 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate...

9.8CVSS5.8AI score

Snyk•added 2026/06/01 9:0 p.m.•11 views

Malicious Package

Overview nottuff28 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertisin...

9.8CVSS5.8AI score

Snyk•added 2026/06/01 9:0 p.m.•8 views

Malicious Package

Overview kirkland is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertising...

9.8CVSS5.8AI score