Linux Distros Unpatched Vulnerability : CVE-2021-41281

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be...

Linux Distros Unpatched Vulnerability : CVE-2016-7046

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Red Hat JBoss Enterprise Application Platform EAP 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a denial of...

Linux Distros Unpatched Vulnerability : CVE-2024-23334

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessar...

Linux Distros Unpatched Vulnerability : CVE-2023-30847

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to...

Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source

Impact A stored Cross-Site Scripting XSS vulnerability was identified in n8n, specifically in the Form Trigger node's HTML form element. An authenticated attacker can inject malicious HTML via an with a srcdoc payload that includes arbitrary JavaScript execution. The attacker can also inject...

Cross-site Scripting (XSS)

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Cross-site Scripting XSS via the HTML form element on the Form Trigger node. An authenticated attacker can execute arbitrary JavaScript code in the context of authenticated users by injecting...

Linux Distros Unpatched Vulnerability : CVE-2025-46727

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, Rack::QueryParser parses query strings and...

Linux Distros Unpatched Vulnerability : CVE-2021-33197

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy from net/http/httputil result in a situation where an attacker is able to dro...

Linux Distros Unpatched Vulnerability : CVE-2025-49630

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients...

CVE-2025-54864

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be...

CVE-2025-54864

CVE-2025-54864 affects Hydra (Nix-based CI) where the endpoints /api/push-github and /api/push-gitea were called without HTTP Basic authentication, despite the forges implementing HMAC with a secret key. The root cause is missing authentication on those calls, enabling heavy evaluations that can ...

CVE-2025-54864 Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be...

CVE-2025-54864 Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be...

CVE-2025-54864 Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be...

CVE-2025-54864

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be...

Linux Distros Unpatched Vulnerability : CVE-2020-1935

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some...

Linux Distros Unpatched Vulnerability : CVE-2022-42252

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting...

Hard-Earned Lessons in Access Control at Scale: Enforcing Identity and Policy across Trust Boundaries with Reverse Proxies and MTLS

In today's enterprise environment, traditional access methods such as Virtual Private Networks VPNs and application-specific Single Sign-On SSO often fall short when it comes to securely scaling access for a distributed and dynamic workforce. This paper presents our experience implementing a...

CVE-2025-54576 OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skipauthroutes configuration option...

keycloak-core: mTLS passthrough

A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication...