Starlette 环境问题漏洞

Starlette is a lightweight ASGI framework/toolkit developed by Encode. It’s ideal for building asynchronous web services using Python. Versions of Starlette prior to 1.0.1 contained an environmental issue vulnerability. This vulnerability stemmed from the lack of validation of the HTTP Host reque...

Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth...

CVE-2026-34083 signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...

CVE-2026-34083

Signal K Server (signalk-server) prior to v2.24.0 contains a code-level vulnerability in its OIDC login/logout flow where an unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because redirectUri is silently unset by default, an attacker can spoof the Host header to direct...

CVE-2026-34083

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...

PT-2026-25381

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $ SERVER'HTTP HOST' without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification...

CVE-2026-25651

client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Hos...

PT-2026-6778

Name of the Vulnerable Software and Affected Versions client-certificate-auth versions 0.2.1 through 0.3.0 Description The software is middleware for Node.js that implements client SSL certificate authentication and authorization. Versions 0.2.1 and 0.3.0 contain an open redirect issue. The...

PT-2026-6861

Summary Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. Vulnerable Code javascript //...

EUVD-2025-18976

Malicious code in bioql PyPI...

CVE-2025-52560

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the applicationurl configuration is unset default behavior. This allows an attacker to...

CVE-2025-52560 Kanboard Password Reset Poisoning via Host Header Injection

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the applicationurl configuration is unset default behavior. This allows an attacker to...

PT-2025-26686 · Kanboard · Kanboard

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.46 Description: Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Ho...

Flask App Builder 输入验证错误漏洞

Flask App Builder is a simple and fast application development framework by Daniel Vaz Gaspar Personal Developer. An input validation error vulnerability exists in Flask App Builder versions prior to 4.6.2, which stems from an unvalidated host header and could lead to an open redirect...

CVE-2018-6320

A vulnerability has been discovered in login.cgi in Pulse Secure Pulse Connect Secure PCS 8.1RX before 8.1R12 and 8.3RX before 8.3R2 and Pulse Policy Secure PPS 5.2RX before 5.2R9 and 5.4RX before 5.4R2 wherein an https Host header received from the browser is trusted without validation...