Lucene search
K

11 matches found

OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-388 LiteLLM: Authentication Bypass via Host Header Injection

Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from request.url.path in litellm/proxy/auth/authutils.py::getrequestroute, which Starlette reconstructs...

9.5CVSS5.8AI score0.00559EPSS
Exploits1References6
Snyk
Snyk
added 2026/06/16 11:38 p.m.9 views

User Impersonation

Overview litellm-proxy-extras is an Additional files for the LiteLLM Proxy. Reduces the size of the main litellm package. Affected versions of this package are vulnerable to User Impersonation via manipulation of the Host header during HTTP requests. An attacker can gain unauthorized access to...

9.8CVSS5.8AI score0.00559EPSS
Exploits1References2
OSV
OSV
added 2026/06/16 11:38 p.m.5 views

GHSA-4XPC-PV4P-PM3W LiteLLM: Authentication Bypass via Host Header Injection

Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from request.url.path in litellm/proxy/auth/authutils.py::getrequestroute, which Starlette reconstructs...

9.5CVSS5.4AI score0.00559EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.13 views

PT-2026-50152

Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.84.0 Description A Host-header parsing flaw in the LiteLLM proxy allows unauthenticated access to protected management routes. The authentication layer derives the effective route from request.url.path in the get...

9.8CVSS5.8AI score0.00559EPSS
Exploits1References16
Snyk
Snyk
added 2026/06/15 8:22 p.m.34 views

HTTP Request Smuggling

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to HTTP Request Smuggling through the QuerystringParser function. An attacker can bypass upstream validation and inject or override form fields by crafting specially formatted...

6.3CVSS5.4AI score0.00176EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.13 views

PT-2026-49570

Name of the Vulnerable Software and Affected Versions Python-Multipart versions prior to 0.0.30 Description The QuerystringParser treated the semicolon ; as a field separator in application/x-www-form-urlencoded bodies, in addition to the ampersand &. This deviates from the WHATWG URL standard,...

3.7CVSS6.8AI score0.00176EPSS
Exploits0References16
EUVD
EUVD
added 2026/04/07 9:32 p.m.2 views

EUVD-2025-209280

Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inje...

6AI score0.00451EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/07 12:0 a.m.9 views

CVE-2025-71058

Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inje...

6AI score0.00451EPSS
Exploits0References3
NVD
NVD
added 2026/04/02 5:16 p.m.7 views

CVE-2026-26961

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...

5.3CVSS0.00253EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/02 4:42 p.m.7 views

CVE-2026-26961

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...

3.7CVSS5.8AI score0.00253EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2021/07/15 12:0 a.m.4 views

PT-2021-6606 · Hashicorp +2 · Hashicorp Consul +3

Name of the Vulnerable Software and Affected Versions: HashiCorp Consul and Consul Enterprise versions 1.3.0 through 1.10.0 Description: The issue is related to the absence of validation of the destination service identity in the encoded subject alternative name in the Envoy proxy TLS...

8.8CVSS5.8AI score0.3479EPSS
Exploits3References46
Rows per page
Query Builder