Lucene search
+L

1290 matches found

nvd
nvd
added 2026/07/08 1:16 a.m.7 views

CVE-2026-55438

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

6.8CVSS0.00222EPSS
Exploits0References7
nvd
nvd
added 2026/07/08 1:16 a.m.6 views

CVE-2026-55430

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware...

6.8CVSS0.00208EPSS
Exploits0References6
euvd
euvd
added 2026/07/08 12:31 a.m.6 views

EUVD-2026-42151

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

6.8CVSS6AI score0.00222EPSS
Exploits0References7
cvelist
cvelist
added 2026/07/08 12:31 a.m.36 views

CVE-2026-55438 Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

5.8CVSS0.00222EPSS
Exploits0References7
cve
cve
added 2026/07/08 12:31 a.m.14 views

CVE-2026-55438

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, subdomain-based proxy would bypass the same-owner CORS check when a workspace-name segment parsed as a UUID. The workspace could be resolved by ID with...

6.8CVSS6AI score0.00222EPSS
Exploits0References7Affected Software1
attackerkb
attackerkb
added 2026/07/08 12:31 a.m.6 views

CVE-2026-55438

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

5.8CVSS6AI score0.00222EPSS
Exploits0References8Affected Software1
osv
osv
added 2026/07/08 12:31 a.m.5 views

CVE-2026-55438 Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

5.8CVSS6AI score0.00222EPSS
Exploits0References9
osv
osv
added 2026/07/08 12:20 a.m.8 views

CVE-2026-55432 Coder's sub-agent app registration bypasses template port-sharing policy enforcement

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the CreateSubAgent RPC did not validate a requested app sharing level against the template's MaxPortSharingLevel before persisting workspace apps, letting a...

5.4CVSS6AI score0.00315EPSS
Exploits0References8
cve
cve
added 2026/07/08 12:3 a.m.15 views

CVE-2026-55430

Coder's workspace app (github.com/coder/coder) prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusts X-Forwarded-Host for routing because no middleware strips it before routing and httpapi.RequestHost() prefers that header over Host. This enables cross-app data access when subdomain (wildca...

6.8CVSS6AI score0.00208EPSS
Exploits0References6Affected Software1
cvelist
cvelist
added 2026/07/08 12:3 a.m.34 views

CVE-2026-55430 Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware...

5.8CVSS0.00208EPSS
Exploits0References6
osv
osv
added 2026/07/08 12:3 a.m.8 views

CVE-2026-55430 Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware...

5.8CVSS6AI score0.00208EPSS
Exploits0References8
osv
osv
added 2026/07/07 4:41 p.m.8 views

GO-2026-5917 Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder

Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access in github.com/coder/coder...

6.8CVSS5.9AI score0.00208EPSS
Exploits0References2
osv
osv
added 2026/07/07 4:41 p.m.9 views

GO-2026-5918 Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder...

6.8CVSS5.9AI score0.00222EPSS
Exploits0References3
osv
osv
added 2026/07/06 9:14 p.m.4 views

GHSA-5WG6-JMQ2-53PW Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing

Summary Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the...

5.8CVSS5.9AI score0.00222EPSS
Exploits0References4
github
github
added 2026/07/06 9:14 p.m.6 views

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing

Summary Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the...

6.8CVSS5.9AI score0.00222EPSS
Exploits0References4Affected Software1
osv
osv
added 2026/07/06 9:5 p.m.3 views

GHSA-5G4W-3VW9-478W Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

Summary The workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch calls...

5.8CVSS6AI score0.00208EPSS
Exploits0References3
github
github
added 2026/07/06 9:5 p.m.6 views

Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

Summary The workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch calls...

6.8CVSS6AI score0.00208EPSS
Exploits0References3Affected Software1
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.9 views

PT-2026-56082

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description The subdomain-based workspace app proxy allows a bypass of the same-owner Cross-Origin Resource Sharing CO...

5.8CVSS6AI score0.00222EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.12 views

PT-2026-56074

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description The workspace app proxy resolves the target app using the httpapi.RequestHost function, which prioritizes...

5.8CVSS5.9AI score0.00208EPSS
Exploits0References9
f5
f5
added 2026/06/29 3:39 p.m.9 views

K000161963: Golang vulnerability CVE-2025-61727

Security Advisory Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example . com does not prevent a leaf certificate from claiming the SAN .example.co...

6.5CVSS6.7AI score0.00274EPSS
Exploits0Affected Software2
Rows per page
Query Builder