Lucene search
K

88 matches found

Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-54003 Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header

Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the...

9.1CVSS0.00545EPSS
Exploits0References8
NVD
NVD
added 5 days ago5 views

CVE-2026-45045

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add instead of Header.Set when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream serve...

5.3CVSS0.00455EPSS
Exploits0References7
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-45045 Fiber: X-Real-IP Spoofing via Header.Add() in BalancerForward

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add instead of Header.Set when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream serve...

5.3CVSS0.00455EPSS
Exploits0References7
CVE
CVE
added 5 days ago15 views

CVE-2026-45045

Fiber (GoFiber) is affected by a vulnerability in BalancerForward where the proxy injects X-Real-IP using Header.Add() instead of Header.Set(), allowing an attacker-supplied value to be forwarded to upstreams. Affected versions before 3.3.0 and 2.52.14 are impacted; the issue is fixed in 3.3.0 an...

5.3CVSS5.9AI score0.00455EPSS
Exploits0References7
OSV
OSV
added 2026/07/02 1:50 p.m.4 views

GHSA-GCFQ-8GQF-4876 GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward

Summary The BalancerForward proxy helper in GoFiber uses Header.Add instead of Header.Set when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header nginx,...

5.3CVSS5.7AI score0.00455EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/02 1:50 p.m.7 views

GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward

Summary The BalancerForward proxy helper in GoFiber uses Header.Add instead of Header.Set when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header nginx,...

5.3CVSS5.7AI score0.00455EPSS
Exploits0References2Affected Software2
Snyk
Snyk
added 2026/07/02 1:50 p.m.4 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the BalancerForward process. An attacker can manipulate upstream IP-based logic, such as rate limiting, access control, and audit logging, by injecting a spoofed X-Real-IP header value in requests. Remediation...

6.9CVSS6AI score0.00455EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.19 views

PT-2026-50724

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description An external initialization issue exists in the Kirby Panel and REST API. This occurs when a site has no configured user accounts and is hosted on a publicly accessible...

9.1CVSS5.9AI score0.00545EPSS
Exploits0References12
GithubExploit
GithubExploit
added 2026/05/14 10:48 a.m.96 views

report-anonymizer

🛡️ Report Anonymizer Local LLM anonymizer for penetration-t...

5.8AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/05/11 8:27 p.m.14 views

CVE-2026-45182

GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let systemserver transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" a...

2.2CVSS5.8AI score0.00094EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/09 10:7 p.m.9 views

EUVD-2026-28944

GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let systemserver transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" a...

2.2CVSS5.8AI score0.00094EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/09 10:7 p.m.8 views

CVE-2026-45182

GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let systemserver transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" a...

2.2CVSS5.8AI score0.00094EPSS
Exploits0References3
CVE
CVE
added 2026/05/09 10:7 p.m.21 views

CVE-2026-45182

Summary: CVE-2026-45182 affects GrapheneOS prior to 2026050400. A vulnerability arises from a registerQuicConnectionClosePayload optimization that lets a local attacker infer the real IP address of a VPN user when the device has both “Block connections without VPN” and “Always-on VPN” enabled, by...

2.2CVSS5.8AI score0.00094EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.11 views

mailcow: dockerized 安全漏洞

mailcow: dockerized is a dockerized version of the mailcow open-source application. Versions of mailcow before dockerized 2026-03b contained security vulnerabilities. These vulnerabilities stemmed from the lack of HTML encoding for client IP addresses in the user dashboard login history, and the...

7CVSS5.8AI score0.00182EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.16 views

PT-2026-34056

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" login history renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP...

7CVSS5.8AI score0.00182EPSS
Exploits0References2
OSV
OSV
added 2026/03/20 2:41 p.m.13 views

GHSA-M547-HP4W-J6JX Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Summary Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP. Details In the first file below, the rate-limit for unauthenticated users can be observed...

5.3CVSS5.9AI score0.00328EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/03/20 2:41 p.m.7 views

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Summary Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP. Details In the first file below, the rate-limit for unauthenticated users can be observed...

5.3CVSS5.9AI score0.00328EPSS
Exploits1References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/20 12:0 a.m.26 views

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP...

5.3CVSS5.8AI score0.00328EPSS
Exploits1References5Affected Software1
CNNVD
CNNVD
added 2026/03/20 12:0 a.m.7 views

Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja from 0.8 to 2.2.0 contained security vulnerabilities. These vulnerabilities stemmed from a rate-limiting mechanism that relied on RealIP values. This allowed unverified users to bypass rate limits by...

5.3CVSS6.4AI score0.00328EPSS
Exploits1References2
OSV
OSV
added 2026/03/05 4:18 p.m.6 views

CVE-2026-29054 Traefik: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)

Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to preve...

7.5CVSS7.1AI score0.00467EPSS
Exploits0References9
Rows per page
Query Builder