Caddy CVE-2026-30852 Fix Bypass

TL;DR CVE-2026-30852 fixed double expansion in varsregexp when the variable key is a placeholder e.g. http.vars.x. The fix does NOT protect literal key names e.g. tenantid. An attacker injects env.AWSSECRETACCESSKEY or file./etc/passwd via a request header → Caddy expands it on the second pass →...

GHSA-WWHQ-W58M-W29C Caddy CVE-2026-30852 Fix Bypass

TL;DR CVE-2026-30852 fixed double expansion in varsregexp when the variable key is a placeholder e.g. http.vars.x. The fix does NOT protect literal key names e.g. tenantid. An attacker injects env.AWSSECRETACCESSKEY or file./etc/passwd via a request header → Caddy expands it on the second pass →...

EUVD-2026-30557

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the...

GHSA-FFHC-5MCF-PF4Q Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces

Impact App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to...

Next.js vulnerable to cache poisoning in React Server Component responses

Impact Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later...

GHSA-35VF-VW9F-Q3CR Duplicate Advisory: OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r6xh-pqhr-v4xh. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request...

Access Control Bypass

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Access Control Bypass via the MCP loopback process. An attacker can gain unauthorized access to owner-gated operations by spoofing owner-context metadata in request headers. Remediation...

CVE-2026-40885

CVE-2026-40885 (goshs) involves a credential leakage in goshs, a Go-based SimpleHTTPServer. From 2.0.0-beta.4 to beta.5, the public collaborator feed leaks file-based ACL credentials and can expose a victim’s folder-specific Basic auth header to unauthenticated websocket observers. This enables a...

Flowise: Sensitive Data Leak in public-chatbotConfig

Summary /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers,...

fastify/reply-from和fastify/http-proxy 安全漏洞

fastify/reply-from and fastify/http-proxy are both products from the Fastify open-source project. fastify/reply-from is a plugin designed to forward incoming HTTP requests to another server. fastify/http-proxy is a full-featured HTTP proxy plugin that supports proxying WebSocket connections and...

GHSA-7H3J-592V-JCRP goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access

Summary goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including...

CVE-2026-34767

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle / protocol.registerSchemesAsPrivileged or modify response headers via...

CVE-2026-34767

Summary : Electron apps that register custom protocol handlers (protocol.handle()/protocol.registerSchemesAsPrivileged()) or use webRequest.onHeadersReceived can be vulnerable to HTTP response header injection when untrusted input is reflected into header names or values. Impact : injected header...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

Permissive List of Allowed Inputs in ewe

Summary ewe's chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. Security-sensitive headers like authorization, cookie, and x-forwarded-for can be injected or overwritten by a malicious client...

CVE-2026-30852

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the varsregexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When varsregexp matches against a placeholder like http.request.header.X-Input, the...

UBUNTU-CVE-2026-30852

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the varsregexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When varsregexp matches against a placeholder like http.request.header.X-Input, the...

Feathers 信息泄露漏洞

Feathers is a lightweight web framework developed by Feathers OpenSource. It is used to create APIs and real-time applications using TypeScript or JavaScript. Feathers versions 5.0.39 and earlier contained an information leakage vulnerability. This vulnerability stemmed from the fact that all HTT...

GHSA-9M9C-VPV5-9G85 Feathers exposes internal headers via unencrypted session cookie

All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session: javascript //...

Node.js: Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process)

Vulnerability description not provided...