3 matches found
CVE-2026-39807
Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determinescheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the...
CVE-2026-39807
The CVE describes a vulnerability in Bandit (Elixir) where the function Elixir.Bandit.Pipeline:determine_scheme/2 returns the client-supplied URI scheme verbatim, ignoring the transport’s secure flag. On plaintext TCP, a client can declare https and Bandit will set conn.scheme = :https even witho...
CVE-2026-33427
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions...