Lucene search
K

49 matches found

Snyk
Snyk
added last week4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the default configuration of REVERSEPROXYTRUSTEDPROXIES allowing all sources. An attacker can gain unauthorized access by sending spoofed reverse-proxy authentication headers such as X-WEBAUTH-USER...

9.8CVSS7.4AI score0.00783EPSS
Exploits4References2
Snyk
Snyk
added last week4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the default configuration of REVERSEPROXYTRUSTEDPROXIES allowing all sources. An attacker can gain unauthorized access by sending spoofed reverse-proxy authentication headers such as X-WEBAUTH-USER...

9.8CVSS7.4AI score0.00783EPSS
Exploits4References2
Snyk
Snyk
added last week4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the default configuration of REVERSEPROXYTRUSTEDPROXIES allowing all sources. An attacker can gain unauthorized access by sending spoofed reverse-proxy authentication headers such as X-WEBAUTH-USER...

9.8CVSS7.4AI score0.00783EPSS
Exploits4References2
Snyk
Snyk
added last week5 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the default configuration of REVERSEPROXYTRUSTEDPROXIES allowing all sources. An attacker can gain unauthorized access by sending spoofed reverse-proxy authentication headers such as X-WEBAUTH-USER...

9.8CVSS7.4AI score0.00783EPSS
Exploits4References2
Cvelist
Cvelist
added 2026/07/01 2:25 p.m.33 views

CVE-2026-58399 @acastellon/auth has an authentication bypass via spoofable headers in validateToken()

@acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for...

8.7CVSS0.00543EPSS
Exploits0References3
NVD
NVD
added 2026/06/19 2:16 p.m.11 views

CVE-2026-49231

Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX:...

5.4CVSS0.00359EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/19 1:14 p.m.8 views

EUVD-2026-38020

Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX:...

2.3CVSS5.9AI score0.00359EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.30 views

PT-2026-50896

Name of the Vulnerable Software and Affected Versions Apache APISIX versions 3.5.0 through 3.16.0 Description An authentication bypass issue exists in the opa plugin. An attacker can relay spoofed identity headers to upstream services by exploiting non-default configurations in the opa plugin,...

5.4CVSS5.9AI score0.00359EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-54912

Name of the Vulnerable Software and Affected Versions @acastellon/auth versions prior to 2.3.0 Description An authentication bypass exists in the validateToken middleware. The issue stems from improper trust in spoofable request headers and flawed request flow control, which allows the next...

9.3CVSS5.8AI score0.00543EPSS
Exploits0References9
Snyk
Snyk
added 2026/05/14 9:30 p.m.9 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via spoofed X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token. An attacker can gain unauthorized access to owner or organization-scoped lease operations by injecting malicious...

8.8CVSS5.3AI score0.00361EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/14 6:46 p.m.12 views

EUVD-2026-30369

Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a...

8.8CVSS5.8AI score0.00361EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.13 views

PT-2026-40979

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.80.1 Description An issue in the IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. The software extracts client IP addresses from request headers...

7.5CVSS5.9AI score0.00276EPSS
Exploits0References6
Snyk
Snyk
added 2026/04/24 4:32 p.m.5 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the ServeHTTP function, which does not sufficiently sanitize X- alias headers. An attacker can gain unauthenticated access to protected endpoints by injecting spoofed trust context with...

10CVSS5.5AI score0.00479EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/24 4:32 p.m.6 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the ServeHTTP function, which does not sufficiently sanitize X- alias headers. An attacker can gain unauthenticated access to protected endpoints by injecting spoofed trust context with...

10CVSS5.5AI score0.00479EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.5 views

CVE-2026-29794

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of...

5.3CVSS5.8AI score0.00328EPSS
Exploits1References1
OSV
OSV
added 2026/03/23 6:16 p.m.4 views

GO-2026-4791 Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

5.3CVSS5.8AI score0.00328EPSS
Exploits1References4
EUVD
EUVD
added 2026/03/20 2:41 p.m.7 views

EUVD-2026-13706

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers...

5.3CVSS5.8AI score0.00328EPSS
Exploits1References3
OSV
OSV
added 2026/03/20 2:41 p.m.13 views

GHSA-M547-HP4W-J6JX Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Summary Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP. Details In the first file below, the rate-limit for unauthenticated users can be observed...

5.3CVSS5.9AI score0.00328EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/03/20 2:39 p.m.21 views

CVE-2026-29794 Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of...

5.3CVSS0.00328EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/20 2:39 p.m.5 views

CVE-2026-29794 Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of...

5.3CVSS5.8AI score0.00328EPSS
Exploits1References2
Rows per page
Query Builder