Lucene search
K

618 matches found

NVD
NVD
added 5 days ago5 views

CVE-2026-53624

Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol for https instead of c.Scheme. This issue is fixe...

4.8CVSS0.00207EPSS
Exploits0References4
Snyk
Snyk
added last week7 views

Cleartext Transmission of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the incorrect protocol check in the helmet middleware, which fails to set the Strict-Transport-Security header even when configured. An attacker can intercept and manipulate network...

6.3CVSS6AI score0.00207EPSS
Exploits0References2
Snyk
Snyk
added last week6 views

Cleartext Transmission of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the incorrect protocol check in the helmet middleware, which fails to set the Strict-Transport-Security header even when configured. An attacker can intercept and manipulate network...

6.3CVSS6AI score0.00207EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added last week6 views

GoFiber never set HSTS header in helmet middleware due to incorrect protocol check

Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...

4.8CVSS5.9AI score0.00207EPSS
Exploits0References2Affected Software1
OSV
OSV
added last week3 views

GHSA-GV83-GQW6-9J2C GoFiber never set HSTS header in helmet middleware due to incorrect protocol check

Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...

4.8CVSS5.9AI score0.00207EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/08 11:8 p.m.3 views

Improper Restriction of Rendered UI Layers or Frames

Overview Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames due to missing security headers in the internal/web/ and internal/api/ response paths. An attacker can compromise the confidentiality and integrity of sensitive operations, such as...

7.1CVSS6AI score0.00031EPSS
Exploits0References2
OSV
OSV
added 2026/06/08 11:8 p.m.7 views

GHSA-W7W5-5GCP-38RW nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)

None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase. Impact The admin UI signs CA...

7.1CVSS5.5AI score0.00031EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/08 11:8 p.m.15 views

nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)

None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase. Impact The admin UI signs CA...

5.5AI score0.00031EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.15 views

PT-2026-47583

None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase. Impact The admin UI signs CA...

7.1CVSS5.5AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.16 views

PT-2026-47620

Name of the Vulnerable Software and Affected Versions nebula-mesh versions prior to 0.3.0 Description Response paths in internal/web/ and internal/api/ do not implement standard browser-security headers. The absence of X-Frame-Options: DENY or frame-ancestors 'none' in the Content-Security-Policy...

7.1CVSS5.9AI score0.00031EPSS
Exploits0References6
Hacker One
Hacker One
added 2026/05/29 9:18 a.m.24 views

curl: Low priority HSTS bypass in curl_easy_duphandle()

Summary: curleasyduphandle creates a fresh HSTS store for the cloned handle and populates it from the configured files and callbacks, but never copies entries acquired from Strict-Transport-Security response headers during the parent's lifetime. This means the client using a cloned handle may...

5.8AI score
Exploits0
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.8 views

Astra Linux – Vulnerability in Firefox

When network partitioning was enabled, for example as a result of Enhanced Tracking Protection settings, a TLS error page allowed users to override an error on a domain that had specified HTTP Strict Transport Security. This means that the error should not be overwritten. This issue did not affec...

4.3CVSS6.2AI score0.0084EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux – Vulnerability in qtbase-opensource-src

A issue was discovered in Qt before version 5.15.14, in versions 6.x before 6.2.9, and in versions 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security HSTS header, allowing unencrypted connections to be established, even when such connections are explicit...

5.3CVSS5.6AI score0.00875EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.3 views

Astra Linux – Vulnerability in Firefox and Thunderbird

In specific HSTS configurations, an attacker could bypass HSTS on a subdomain. This vulnerability affects Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7...

6.5CVSS6.6AI score0.00711EPSS
Exploits0References2
Hacker One
Hacker One
added 2026/05/13 10:12 p.m.28 views

curl: HSTS multi-trailing-dot bypass-ish: possible incomplete fix for CVE-2022-30115

Hi all, Honestly, I'm not completely certain about this issue, but I think the CVE-2022-30115 fix "HSTS bypass via trailing dot" is incomplete: the same asymmetry exists for hostnames with two or more trailing dots, so http://example.com../ still gets sent in plaintext when there's a valid HSTS...

4.3CVSS6.8AI score0.01118EPSS
Exploits1
GithubExploit
GithubExploit
added 2026/05/12 5:53 p.m.84 views

web-scanner

Web Vulnerability Scanner A Python-based web vulnerability sc...

6AI score
Exploits0
OSV
OSV
added 2026/05/04 1:12 p.m.11 views

JLSEC-2026-403

A cleartext transmission of sensitive information vulnerability exists in curl v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP...

6.5CVSS7.3AI score0.00861EPSS
Exploits0References6
OSV
OSV
added 2026/05/04 1:12 p.m.7 views

JLSEC-2026-402

A cleartext transmission of sensitive information vulnerability exists in curl v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is...

9.1CVSS6.8AI score0.00858EPSS
Exploits1References6
OSV
OSV
added 2026/05/04 1:12 p.m.8 views

JLSEC-2026-399

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure cleartext HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host nam...

7.5CVSS6.8AI score0.01644EPSS
Exploits0References22
OSV
OSV
added 2026/05/04 1:12 p.m.8 views

JLSEC-2026-419 When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's...

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with host...

5.9CVSS6.8AI score0.0197EPSS
Exploits1References16
Rows per page
Query Builder