CVE-2026-25748

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious...

CVE-2026-25748

authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious...

CVE-2026-25748

The vulnerability CVE-2026-25748 affects authentik prior to 2025.10.4 and 2025.12.4 in the Proxy Provider when used with Traefik or Caddy as reverse proxy. A malformed cookie could bypass authentication during forward authentication, causing missing authentik headers (X-Authentik-*) and potential...

CVE-2026-1709

A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security TLS authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing...

CLEANSTART-2026-AM95501 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11

Multiple security vulnerabilities affect the tomcat10 package. When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11. See references for individual vulnerability detail...

EulerOS Virtualization 2.10.0 : mod_http2 (EulerOS-SA-2026-1182)

According to the versions of the modhttp2 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : In certain proxy configurations, a denial of service attack againstApache HTTP Server versions 2.4.26 through to 2.4.63 can be...

CLEANSTART-2026-XP58111 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11

Multiple security vulnerabilities affect the tomcat9 package. When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11. See references for individual vulnerability details...

CLEANSTART-2026-XI02879 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11

Multiple security vulnerabilities affect the tomcat9 package. When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11. See references for individual vulnerability details...

CLEANSTART-2026-SJ80413 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11

Multiple security vulnerabilities affect the tomcat9 package. When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11. See references for individual vulnerability details...

CLEANSTART-2026-CD66042 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11

Multiple security vulnerabilities affect the tomcat9 package. When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11. See references for individual vulnerability details...

CVE-2026-24687 Umbraco.Forms has path traversal and file enumeration vulnerability in Linux/Mac

Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud...

Azure Linux 3.0 Security Update: python-waitress (CVE-2022-31015)

The version of python-waitress installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-31015 advisory. - Waitress is a Web Server Gateway Interface server for Python 2 and 3. Waitress versions 2.1.0 and...

Azure Linux 3.0 Security Update: python-tensorboard (CVE-2021-33197)

The version of python-tensorboard installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2021-33197 advisory. - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy from...

MiracleLinux 9 : golang-1.17.12-1.el9, go-toolset-1.17.12-1.el9 (AXSA:2022-4035:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-4035:01 advisory. golang: compress/gzip: stack exhaustion in Reader.Read CVE-2022-30631 golang: net/http: improper sanitization of Transfer-Encoding header...

CVE-2026-23837 MyTube has an Authorization Bypass vulnerability

MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication...

Server-side Request Forgery (SSRF)

Overview @sveltejs/adapter-node is an Adapter for SvelteKit apps that generates a standalone Node server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the improper decoding of protocol headers in resolved path. An attacker can cause the server process...

MiracleLinux 3 : httpd-2.2.3-53.3.0.1.AXS3 (AXSA:2011-346:03)

The remote MiracleLinux 3 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2011-346:03 advisory. The Apache HTTP Server is a powerful, efficient, and extensible web server. Security issues fixed with this release: CVE-2011-3368 The modproxy module in the...

[SECURITY] Fedora 42 Update: nginx-1.28.1-3.fc42

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage...

CVE-2018-1000150

An exposure of sensitive information vulnerability exists in Jenkins Reverse Proxy Auth Plugin 1.5 and older in ReverseProxySecurityRealmauthContext that allows attackers with local file system access to obtain a list of authorities for logged in users...

CVE-2024-34451

Ghost through 5.85.1 allows remote attackers to bypass an authentication rate-limit protection mechanism by using many X-Forwarded-For headers with different values. NOTE: the vendor's position is that Ghost should be installed with a reverse proxy that allows only trusted X-Forwarded-For headers...