Lucene search
K

534 matches found

Cvelist
Cvelist
added 2026/05/12 2:1 p.m.32 views

CVE-2026-8368 LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are se...

0.00266EPSS
Exploits0References4
CVE
CVE
added 2026/05/12 2:1 p.m.32 views

CVE-2026-8368

CVE-2026-8368 affects the Perl module LWP::UserAgent before 6.83. The redirect handling on 3xx responses leaks caller credentials by sending Authorization and Proxy-Authorization headers unchanged, even across scheme/host/port changes, to the redirect target. This can disclose credentials to atta...

6.5CVSS5.8AI score0.00266EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/12 2:1 p.m.6 views

CVE-2026-8368

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are se...

5.8AI score0.00266EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/12 2:1 p.m.8 views

CVE-2026-8368 LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are se...

5.8AI score0.00266EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.9 views

PT-2026-40045

Name of the Vulnerable Software and Affected Versions LWP::UserAgent versions prior to 6.83 Description LWP::UserAgent leaks Authorization and Proxy-Authorization headers during cross-origin redirects. When a 3xx response is received, the redirect handler only removes the Host and Cookie headers...

6.5CVSS5.8AI score0.00266EPSS
Exploits0References25
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.9 views

PT-2026-39665

Name of the Vulnerable Software and Affected Versions urllib3 versions 1.23 through 2.6.x Description Sensitive headers, specifically Authorization, Cookie, and Proxy-Authorization, are forwarded during cross-origin redirects when using the low-level API via ProxyManager.connection from...

8.2CVSS5.8AI score0.00527EPSS
Exploits0References370
Patchstack
Patchstack
added 2026/05/07 1:49 a.m.8 views

NPM: Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

NPM: Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect vulnerability discovered by ? in WordPress Npm kiota-typescript versions 1.0.0-preview.100...

7CVSS5.8AI score0.00505EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 1:49 a.m.29 views

Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

Summary The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. This vulnerability is present in the RedirectHandlers...

7CVSS5.9AI score0.00505EPSS
Exploits0References3Affected Software5
OSV
OSV
added 2026/05/07 1:49 a.m.5 views

GHSA-7J59-V9QR-6FQ9 Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

Summary The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. This vulnerability is present in the RedirectHandlers...

7CVSS5.9AI score0.00505EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/05/07 12:0 a.m.11 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-pip (UTSA-2026-016506)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016506 advisory. Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint...

6.1CVSS6.5AI score0.02782EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/29 12:0 a.m.7 views

PT-2026-35898

Name of the Vulnerable Software and Affected Versions curl affected versions not specified Description When using libcurl to perform a transfer over a specific HTTP proxy proxyA with Digest authentication and subsequently changing the proxy host to a second one proxyB while reusing the same handl...

5.3CVSS5.2AI score0.00471EPSS
Exploits1References38
Tenable Nessus
Tenable Nessus
added 2026/04/23 12:0 a.m.6 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: libsoup (UTSA-2026-014297)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-014297 advisory. A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects,...

5.8CVSS5.5AI score0.00237EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/21 8:9 p.m.11 views

EUVD-2026-24477

frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser...

6.5CVSS5.8AI score0.00269EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/18 1:31 a.m.8 views

EUVD-2026-23638

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled followRedirecttrue, versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers...

6.8CVSS6AI score0.00326EPSS
Exploits0References5
CVE
CVE
added 2026/04/18 1:31 a.m.36 views

CVE-2026-40490

The CVE-2026-40490 vulnerability affects AsyncHttpClient (AHC). In versions prior to 3.0.9 and 2.14.5, when redirect following is enabled, AHC forwards Authorization and Proxy-Authorization headers (and Realm credentials) to redirect targets across domains, enabling credential leakage via cross-o...

6.8CVSS6AI score0.00326EPSS
Exploits0References5
Debian CVE
Debian CVE
added 2026/04/18 1:31 a.m.5 views

CVE-2026-40490

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled followRedirecttrue, versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers...

6.8CVSS5.7AI score0.00326EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/04/14 11:33 p.m.9 views

frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control

Summary frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses...

9.1CVSS5.9AI score0.00269EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/14 11:33 p.m.11 views

GHSA-PQ96-PWVG-VRR9 frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control

Summary frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses...

6.5CVSS5.9AI score0.00269EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/14 1:7 a.m.6 views

AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects

Impact When redirect following is enabled followRedirecttrue, AsyncHttpClient forwards Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and...

6.8CVSS5.5AI score0.00326EPSS
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.9 views

PT-2026-33219

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled followRedirecttrue, versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers...

6.8CVSS6AI score0.00326EPSS
Exploits0References10
Rows per page
Query Builder