GHSA-654M-C8P4-X5FP Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Patch Bypass Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2 Summary The Object.createnull fix introduced in Axios 1.15.2 GHSA-q8qp-cvcw-x6jj protects the top-level config object from prototype pollution. However, nested objects created...

Prototype Pollution

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the setProxy function. An attacker can inject arbitrary credentials into the Proxy-Authorization header of proxied HTTP requests b...

Windows Snipping Tool - NTLMv2 Hash Hijack

Exploit Title: Windows Snipping Tool - NTLMv2 Hash Hijack Date: 2026-04-22 Exploit Author: nu11secur1ty Video Demo: https://www.patreon.com/posts/cve-2026-33829-156243398 Vendor Homepage: https://www.microsoft.com Software Link: Built-in Windows Snipping Tool Version: Windows 10, Windows 11,...

SUSE-SU-2026:1520-1 Security update 5.1.3 for Multi-Linux Manager Client Tools

This update fixes the following issues: golang-github-lusitaniae-apacheexporter: - Internal changes to fix build issues with no impact for customers spacecmd: - Version 5.1.13-0 Updated translation strings uyuni-tools: - Version 5.1.26-0 Fixed applying PTF with images from RPMs bsc1252548 Ssl Key...

Security update 5.1.3 for Multi-Linux Manager Client Tools

This update fixes the following issues: spacecmd: Version 5.1.13-0 Update translation strings uyuni-tools: Version 5.1.26-0 Fix applying PTF with images from RPMs bsc1252548 Ssl Key file can miss if CA password is blank bsc1254154 mgrpxy ssh tuning should happens before crypto policies bsc1254619...

DEBIAN-CVE-2025-58136

A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12. Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue. A workaround for older versions is to...

PT-2024-30090 · Google · Google Kms

Name of the Vulnerable Software and Affected Versions: berriai/litellm affected versions not specified Description: A remote code execution issue exists due to improper control of code generation when using the eval function unsafely in the litellm.get secret method. Specifically, when the server...

CVE-2023-33977 Stored cross site scripting (XSS) via unrestricted file upload in Kiwi TCMS

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded...

CVE-2021-40346

Proxy server haproxy has a flaw that can could allow an HTTP request smuggling attack with the goal of bypassing access-control list rules defined by haproxy. The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in haproxy while...

url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled as demonstrated by a large PAC file that is delivered without a Content-length header.

...

GHSA-5PHF-PP7P-VC2R Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection

Impact Users who are using an HTTPS proxy to issue HTTPS requests and haven't configured their own SSLContext via proxyconfig. Only the default SSLContext is impacted. Patches urllib3 =1.26.4 has the issue resolved. urllib31.26 is not impacted due to not supporting HTTPS requests via HTTPS proxie...

CVE-2019-2051

In heap of spaces.h, there is a possible out of bounds read due to improper input validation. This could lead to remote information disclosure when processing a proxy auto config file with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android...

Confluence does not respect HTTPS in Server Base URL when 301 redirecting

We have Confluence setup behind an Apache reverse proxy and our Server Base URL is set to "https://confluence...". However, when Confluence sends out a 301, it always sends the Location: http://confluence..., which then gets redirected by Apache to https://confluence... Confluence should respect...