Lucene search
K

76 matches found

CVE
CVE
added 2026/07/01 11:13 p.m.40 views

CVE-2026-55791

Craft CMS vulnerability CVE-2026-55791 enables SSRF and Arbitrary JavaScript Injection via /actions/app/resource-js when assetManager.cacheSourcePaths is false and trustedHosts is permissive. An attacker can poison Host/X-Forwarded-Host to hijack $baseUrl, causing Craft::createGuzzleClient()->...

6.9CVSS5.8AI score0.0033EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/29 9:24 p.m.7 views

CVE-2026-46417

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server. The issue stems from how...

8.8CVSS5.8AI score0.00221EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.8 views

Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs

Overview Craft CMS is vulnerable to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the...

6.9CVSS6.1AI score0.0033EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.18 views

PT-2026-51113

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.9 Craft CMS versions 5.0.0-RC1 through 5.9.9 Description Craft CMS is subject to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection via the '/actions/app/resource-js' endpoint. The iss...

9.2CVSS6AI score0.0033EPSS
Exploits0References8
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

User Impersonation

Overview symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. Affected versions of this package are vulnerable to User...

9.3CVSS5.8AI score0.00064EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.8 views

Astra Linux – Vulnerability in python-reportlab

All versions of the reportlab package are vulnerable to Server-side Request Forgery SSRF via img tags. To reduce this risk, use trustedSchemes and trustedHosts see Reportlab’s documentation. Steps to reproduce by Karan Bamal: 1. Download and install the latest version of the reportlab package. 2...

6.5CVSS6.7AI score0.01487EPSS
Exploits1References2
NVD
NVD
added 2026/04/22 12:16 a.m.13 views

CVE-2026-41130

Craft CMS is a content management system CMS. In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the resource-js endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly restricted default...

7CVSS0.0026EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.12 views

Craft CMS 代码问题漏洞

Craft CMS is an open-source content management system developed by Craft CMS. There are code vulnerabilities in Craft CMS. These vulnerabilities stem from the resource-js endpoint, which allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly...

7CVSS5.9AI score0.0026EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.12 views

PT-2026-34221

Craft CMS is a content management system CMS. In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the resource-js endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly restricted default...

7CVSS5.9AI score0.0026EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/14 11:36 p.m.10 views

Craft CMS has a host header injection leading to SSRF via resource-js endpoint

Summary The resource-js endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly restricted default configuration, the application trusts the client-supplied Host header. This allows an attacker to control the derived baseUrl,...

7CVSS5.9AI score0.0026EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/04/14 11:36 p.m.9 views

Server-side Request Forgery (SSRF)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the actionResourceJs process. An attacker can cause the server to make arbitrary HTTP requests by supplying a malicious Host header when the trustedHosts...

7CVSS5.9AI score0.0026EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/14 8:1 p.m.7 views

@adonisjs/http-server has an Open Redirect vulnerability

Impact The response.redirect.back method in @adonisjs/http-server is vulnerable to open redirects. The method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host. An attacker who can influence the Referer header for example, by linking a...

6.1CVSS5.7AI score0.00248EPSS
Exploits0References6Affected Software2
NVD
NVD
added 2026/04/08 8:16 p.m.6 views

CVE-2026-39862

Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute...

8.8CVSS0.00555EPSS
Exploits0References2
NVD
NVD
added 2026/04/07 5:16 p.m.8 views

CVE-2025-14821

A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH Secure Shell connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an...

7.8CVSS0.00129EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/07 4:34 p.m.3 views

CVE-2025-14821

A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH Secure Shell connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an...

7.8CVSS6.5AI score0.00129EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/03 6:43 p.m.8 views

OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes

Summary When tokenless Tailscale auth is enabled, OpenClaw should only allow forwarded-header auth for Control UI websocket authentication on trusted hosts. In affected versions, that tokenless path could also be used by HTTP gateway auth call sites, which could bypass token/password requirements...

9.1CVSS6AI score0.00401EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/24 7:43 a.m.8 views

CVE-2026-21863

A flaw was found in Valkey, a distributed key-value database. A malicious actor with access to the Valkey clusterbus port can exploit an input validation vulnerability by sending a specially crafted invalid clusterbus packet. This lack of validation for clusterbus ping extension packets can lead ...

7.5CVSS5.4AI score0.00552EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/02/20 4:29 p.m.7 views

CVE-2026-21620

A flaw was found in Erlang OTP tftpfile modules. This vulnerability allows an attacker to exploit a weakness in how file paths are handled, known as Relative Path Traversal. By manipulating these paths, an attacker could gain unauthorized access to sensitive files on the system, potentially leadi...

4.2CVSS5.8AI score0.00461EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2026/01/29 7:6 p.m.9 views

CVE-2025-45160

A HTML injection vulnerability exists in the file upload functionality of Cacti " port port="80" protocol="tcp" accept' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="" port port="443" protocol="tcp" accept' firewall-cmd --reload Replace with the actual IP address or...

5.4CVSS5.5AI score0.002EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-1999-1448

Malware in sbrugna...

10CVSS6.4AI score0.10226EPSS
Exploits0References4
Rows per page
Query Builder