Lucene search
K

76 matches found

CVE
CVE
added yesterday15 views

CVE-2026-55436

The CVE-2026-55436 issue affects Coder’s AI Bridge Proxy (aibridgeproxyd) in versions prior to 2.32.7, 2.33.8, and 2.34.2. The root cause is that the proxy’s default goproxy transport uses InsecureSkipVerify: true and only switches to a secure transport if an upstream proxy is configured; thus ou...

7.4CVSS6AI score0.00258EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added yesterday5 views

EUVD-2026-42136

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware...

6.8CVSS6AI score0.00196EPSS
Exploits0References6
OSV
OSV
added 3 days ago3 views

GHSA-84RM-42XW-MX52 Coder's AI Bridge Proxy skips TLS certificate verification in default configuration

Summary The AI Bridge Proxy aibridgeproxyd created a goproxy server whose default transport set InsecureSkipVerify: true and only assigned a secure transport when an upstream proxy was configured. In the default configuration no upstream proxy, outbound HTTPS to the Coder access URL accepted any...

7.4CVSS6AI score0.00258EPSS
Exploits0References3
OSV
OSV
added 3 days ago3 views

GHSA-5G4W-3VW9-478W Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

Summary The workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch calls...

5.8CVSS6AI score0.00196EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56074

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description The workspace app proxy resolves the target app using the httpapi.RequestHost function, which prioritizes...

5.8CVSS5.9AI score0.00196EPSS
Exploits0References9
NVD
NVD
added 2026/06/17 8:16 p.m.10 views

CVE-2026-10741

Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials...

5.9CVSS0.0026EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/17 7:1 p.m.11 views

EUVD-2026-37783

Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials...

5.9CVSS5.2AI score0.0026EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/04 12:0 a.m.18 views

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS : nginx vulnerabilities (USN-8375-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8375-1 advisory. It was discovered that the nginx ngxmailsmtpmodule module incorrectly handled certain memory operations when doing SM...

9.2CVSS9.1AI score0.61469EPSS
Exploits43References13
OPENSUSE Linux
OPENSUSE Linux
added 2026/05/25 12:0 a.m.11 views

Security update for nginx (important)

openSUSE security update: security update for nginx ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20784-1 Rating: important References: bsc1257675 bsc1260416 bsc1260417 bsc1260418 bsc1260419 Cross-References: CVE-2026-1642 CVE-2026-27654...

8.3CVSS6.3AI score0.21621EPSS
Exploits0References5
Debian
Debian
added 2026/05/18 2:19 p.m.23 views

[SECURITY] [DLA 4589-1] nginx security update

Debian LTS Advisory DLA-4589-1 [email protected] https://www.debian.org/lts/security/ Carlos Henrique Lima Melara May 18, 2026 https://wiki.debian.org/LTS Package : nginx Version : 1.18.0-6.1+deb11u6 CVE ID : CVE-2025-53859 CVE-2026-1642 CVE-2026-27651 CVE-2026-27654 CVE-2026-27784...

9.2CVSS8AI score0.61469EPSS
Exploits40
Veracode
Veracode
added 2026/05/14 5:48 p.m.11 views

Authentication Bypass

Traefik is vulnerable to Authentication Bypass. The vulnerability is due to improper handling in the ForwardAuth middleware when trustForwardHeader=false is configured behind a trusted upstream proxy, which allows an attacker to bypass authentication controls and gain unauthorized access...

10CVSS5.8AI score0.00267EPSS
Exploits1References10Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/08 12:6 p.m.12 views

CVE-2026-35051

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This authentication bypass vulnerability exists in Traefik's ForwardAuth middleware when the trustForwardHeader setting is configured as false and Traefik is deployed behind a trusted upstream proxy. A remote attacker could...

10CVSS5.8AI score0.00267EPSS
Exploits1References7
SUSE CVE
SUSE CVE
added 2026/05/05 1:45 a.m.7 views

SUSE CVE-2026-35051

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issu...

10CVSS5.7AI score0.00267EPSS
Exploits1References3
Packet Storm
Packet Storm
added 2026/05/05 12:0 a.m.70 views

📄 SumatraPDF 3.5.2 Remote Code Execution

SumatraPDF versions 3.5.0 to 3.5.2 disable TLS hostname verification during update checks using INTERNETFLAGIGNORECERTCNINVALID and do not perform any signature or integrity validation on the downloaded installer. Exploit Title: SumatraPDF 3.5.2 - Remote Code Execution Date: 2026-02-10 Exploit...

7.5CVSS5.8AI score0.00445EPSS
Exploits4
AlpineLinux
AlpineLinux
added 2026/04/30 8:26 p.m.7 views

CVE-2026-35051

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issu...

10CVSS5.7AI score0.00267EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/04/30 8:26 p.m.5 views

CVE-2026-35051

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issu...

7.8CVSS5.2AI score0.00267EPSS
Exploits1References5Affected Software1
CVE
CVE
added 2026/04/30 8:26 p.m.83 views

CVE-2026-35051

CVE-2026-35051 describes an authentication bypass in Traefik’s ForwardAuth middleware when trustForwardHeader=false and Traefik sits behind a trusted upstream proxy. A spoofed X-Forwarded-Prefix can bypass auth decisions, potentially granting access to protected backend routes. Affected versions ...

10CVSS5.2AI score0.00267EPSS
Exploits1References8Affected Software1
CNNVD
CNNVD
added 2026/04/30 12:0 a.m.13 views

Traefik 数据伪造问题漏洞

Traefik is an open-source reverse proxy and load balancing tool developed by Traefik. Versions prior to Traefik 2.11.43, 3.6.14, and 3.7.0-rc.2 contained a data manipulation vulnerability. This vulnerability stems from the ForwardAuth middleware, which has a authentication bypass vulnerability wh...

10CVSS5.7AI score0.00267EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/24 4:31 p.m.14 views

Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication

Summary There is a high-severity authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. While X-Forwarded- headers such as X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto...

10CVSS5.6AI score0.00267EPSS
Exploits1References6Affected Software3
Snyk
Snyk
added 2026/04/24 4:31 p.m.4 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the ForwardAuth middleware when trustForwardHeader is set to false and the deployment is behind a trusted upstream proxy. An attacker can gain unauthorized access to protected backend...

10CVSS5.5AI score0.00267EPSS
Exploits1References2
Rows per page
Query Builder