1338 matches found
MLflow < 3.10.0 - Authentication Bypass on FastAPI Routes
A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...
CVE-2026-48014 Shopware: Admin API ACL Bypass in Order State Transition Endpoints
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...
CVE-2026-62227
OpenClaw 2026.4.14 before 2026.5.26 contain a server-side request forgery vulnerability in browser snapshot routes that fail to validate post-navigation destinations. Attackers with lower-trust access can bypass OpenClaw policy checks to reach network destinations that should have been blocked...
CVE-2026-62227
OpenClaw 2026.4.14 before 2026.5.26 is affected by a server-side request forgery (SSRF) in browser snapshot routes. The root cause is failure to validate post-navigation destinations, allowing attackers with lower-trust access to bypass policy checks and reach network destinations that should be ...
EUVD-2026-45115
OpenClaw 2026.4.14 before 2026.5.26 contain a server-side request forgery vulnerability in browser snapshot routes that fail to validate post-navigation destinations. Attackers with lower-trust access can bypass OpenClaw policy checks to reach network destinations that should have been blocked...
CVE-2026-61718
Bunkerweb (WAF) exposes a vulnerability in versions 1.6.2–1.6.12 where the BiscuitMiddleware authorization bypass for the /cache/ routes allowed low-privilege read-only users to delete job cache files. Specifically, routes in src/ui/app/routes/cache.py were only protected by @login_required despi...
CVE-2026-61718 bunkerweb: Read-only Web UI users can delete job cache files due to missing authorization on /cache/ routes
bunkerweb is an Open-source and next-generation Web Application Firewall WAF. From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefix, so routes in src/ui/app/routes/cache.py protected only by @loginrequired, including POST...
aiohttp - Directory Traversal
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...
CVE-2026-56679
9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin and disable authentication for the whole...
CVE-2026-62312 9Router: Authenticated RCE via Unvalidated MCP Plugin Arguments
9Router is an AI router & token saver. Prior to 0.5.2, 9Router allows a remote authenticated attacker to achieve arbitrary code execution on the host operating system by combining a Host header bypass of localhost-only routes with unvalidated MCP plugin args passed to childprocess.spawn, allowing...
CVE-2026-56679
9Router (AI router & token saver) contains a mass-assignment vulnerability in PATCH /api/settings prior to version 0.5.4. The endpoint writes the entire request body to persistent settings without a field whitelist, enabling an authenticated user to modify security-critical fields such as require...
CVE-2026-56679 9Router: Mass assignment in PATCH /api/settings allows authenticated authorization downgrade
9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin and disable authentication for the whole...
CVE-2026-46339 9Router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/ and /api/mcp/, allowing unauthenticated registration of customPlugins through src/app/api/cli-tools/cowork-settings/route.js and command execution through the MCP...
CVE-2026-46339 9Router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/ and /api/mcp/, allowing unauthenticated registration of customPlugins through src/app/api/cli-tools/cowork-settings/route.js and command execution through the MCP...
CVE-2026-46339
Summary: CVE-2026-46339 affects 9Router, where middleware did not protect /api/cli-tools/* and /api/mcp/* until a fix in 0.4.37. Connected sources describe unauthenticated registration of custom MCP plugins via /api/cli-tools/cowork-settings and command execution through the MCP bridge, enabling ...
EUVD-2026-44773
Cilium is a networking, observability, and security solution. Prior to 1.17.17, 1.18.11, and 1.19.5, Cilium clusters using Gateway API allow users with permissions to create or update namespaced HTTPRoutes to mirror HTTP traffic to any Service in any namespace, bypassing the ReferenceGrant...
PT-2026-60306
Name of the Vulnerable Software and Affected Versions 9Router versions prior to 0.5.2 Description A remote authenticated attacker can achieve arbitrary code execution on the host operating system. This is possible by combining a Host header bypass of localhost-only routes with unvalidated MCP...
PT-2026-60281
Cilium is a networking, observability, and security solution. Prior to 1.17.17, 1.18.11, and 1.19.5, Cilium clusters using Gateway API allow users with permissions to create or update namespaced HTTPRoutes to mirror HTTP traffic to any Service in any namespace, bypassing the ReferenceGrant...
CVE-2026-48489
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, DefaultAuthenticationFailureHandler honored the request-supplied failurepath parameter when failureforward: true was enabled, allowing an unauthenticated...
CVE-2026-45075
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, method-scoped IsGranted, IsSignatureValid, and IsCsrfTokenValid attributes can be configured for GET only, but Symfony routes HEAD requests to the GET handler while the...