PT-2026-39679

Name of the Vulnerable Software and Affected Versions Dozzle versions prior to 10.5.2 Description The WebSocket upgrader for the '/exec' and '/attach' endpoints accepts upgrade requests from any origin because it uses a custom CheckOrigin function that always returns true. When combined with the...

CVE-2026-40929

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

CVE-2026-35180 WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customizesettingsnativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...

AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

Summary AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin...

SUSE-SU-2026:1010-1 Security update 5.0.7 for Multi-Linux Manager Server

This update fixes the following issues: branch-network-formula: - Update to version 1.1.0 Enable containers on SLE15SP7 Exclude podman interfaces from sysctl setting cobbler: - Compatibility fixes for tftpboot directory setup inter-server-sync: - Version 0.3.10-0 Write log to a rotated file witho...

MiracleLinux 9 : firefox-102.5.0-1.el9.ML.1 (AXSA:2023-5007:06)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-5007:06 advisory. Mozilla: Service Workers might have learned size of cross-origin media files CVE-2022-45403 Mozilla: Fullscreen notification bypass CVE-2022-45404...

MiracleLinux 9 : thunderbird-102.5.0-2.el9.ML.1 (AXSA:2023-5045:06)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-5045:06 advisory. Mozilla: Service Workers might have learned size of cross-origin media files CVE-2022-45403 Mozilla: Fullscreen notification bypass CVE-2022-45404...

CVE-2023-53957

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session...

CVE-2023-53957

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session...

CVE-2023-53957 Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session...

CVE-2025-34291

Summary: Langflow AI

CVE-2025-36134

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie...

CVE-2025-36134 IBM Sterling B2B Integrator and IBM Sterling File Gateway information disclosure

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie...

CVE-2025-6670

A Cross-Site Request Forgery CSRF vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation...

EUVD-2020-7561

Malware in sbrugna...

CVE-2025-57821 Basecamp's Google Sign-In for Rails allowed redirects to a malformed URL

Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.0, it is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Rails applications configured to store the flash information in a...

CVE-2021-41113

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as...

CVE-2020-15574

SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site cookie attribute, aka Case Number 00331893...

CVE-2025-22493

CVE-2025-22493 affects Foreseer Reporting Software (FRS). The issue stems from the secure flag not being set and SameSite configured to Lax, allowing session cookies to be transmitted over unencrypted HTTP connections. The Red Hat and NVD/NIST records confirm the vulnerability description and ind...

Broadcom RAID Controller Security Vulnerability

The Broadcom RAID Controller is a series of RAID controllers from Broadcom Corporation. A security vulnerability exists in the Broadcom RAID Controller that stems from an insecure HTTP in the web interface that prevents the protection of the SESSIONID cookie with the SameSite attribute...