Lucene search
K

261 matches found

Wiz blog
Wiz blog
added 2026/04/09 12:0 p.m.5 views

Bringing Security Visibility to Vercel with Wiz

Giving developers and security teams a shared view of application risk as it evolves...

5.9AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/03/30 5:7 p.m.6 views

@tinacms/app (>=0.0.0-0a1049d-20260309051347 <=2.4.0), @tinacms/cli (>=0.0.0-0a1049d-20260309051347 <=2.2.0) +4 more potentially affected by CVE-2026-33949 via @tinacms/graphql (>=2.0.0 <=2.2.1)

@tinacms/graphql NPM version =2.0.0, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =2.0.0, =0.0.0-0b7103c-20251216023146, =0.0.0-0a1049d-20260309051347, =0.0.0-0a1049d-20260309051347, =3.7.0 Source cves: CVE-2026-33949 Source advisory: SNYK:JS-TINACMSGRAPHQL-15855320...

8.1CVSS5.8AI score0.00386EPSS
Exploits0
EUVD
EUVD
added 2026/03/26 6:41 p.m.7 views

EUVD-2026-14982

Astro: Unauthenticated Path Override via x-astro-path / xastropath...

9.1CVSS5.8AI score0.00331EPSS
Exploits1References7
OSV
OSV
added 2026/03/26 6:41 p.m.2 views

GHSA-MR6Q-RP88-FX84 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Summary The @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirel...

6.5CVSS6.7AI score0.00331EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2026/03/26 6:41 p.m.7 views

Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Summary The @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirel...

9.1CVSS5.9AI score0.00331EPSS
Exploits1References7Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:9 p.m.4 views

CVE-2026-33768

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

9.1CVSS5.8AI score0.00331EPSS
Exploits1References1
Snyk
Snyk
added 2026/03/24 8:30 p.m.8 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview @astrojs/vercel is a Deploy your site to Vercel Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the x-astro-path header or xastropath query parameter, which allows overriding internal request paths without authentication. An...

9.1CVSS5.8AI score0.00331EPSS
Exploits1References2
NVD
NVD
added 2026/03/24 7:16 p.m.8 views

CVE-2026-33768

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

9.1CVSS0.00331EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/03/24 6:40 p.m.3 views

CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

6.5CVSS5.8AI score0.00331EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/03/24 6:40 p.m.13 views

CVE-2026-33768

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

6.5CVSS5.8AI score0.00331EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/03/24 6:40 p.m.20 views

CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

6.5CVSS0.00331EPSS
Exploits1References4
OSV
OSV
added 2026/03/24 6:40 p.m.7 views

CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

6.5CVSS5.8AI score0.00331EPSS
Exploits1References6
CVE
CVE
added 2026/03/24 6:40 p.m.18 views

CVE-2026-33768

Astro: Unauthenticated Path Override via x-astro-path/x_astro_path affects Astro 5.18.1 + @astrojs/vercel 9.0.4 and Astro 6.0.3 + @astrojs/vercel 10.0.0, with patch in 10.0.2. The vulnerable code rewrites the internal request path from a caller-supplied header or query parameter without authentic...

9.1CVSS5.8AI score0.00331EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.6 views

PT-2026-27487

Name of the Vulnerable Software and Affected Versions Astro versions prior to 10.0.2 Description Astro, a web framework, contains a flaw in the @astrojs/vercel serverless entrypoint. Versions prior to 10.0.2 do not authenticate requests using the x-astro-path header or x astro path query paramete...

9.1CVSS5.9AI score0.00331EPSS
Exploits1References10
RustSec
RustSec
added 2026/03/14 12:0 p.m.16 views

`tracing-ethers` was removed from crates.io due to malicious code

The tracing-ethers crate attempted to exfiltrate ssh keys to an app hosted on vercel.app The malicious crate had 9 version published on 2026-03-09 approximately 5 days before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io. Thanks to the...

5.8AI score
Exploits0
OSV
OSV
added 2026/03/14 12:0 p.m.5 views

RUSTSEC-2026-0040 `tracing-ethers` was removed from crates.io due to malicious code

The tracing-ethers crate attempted to exfiltrate ssh keys to an app hosted on vercel.app The malicious crate had 9 version published on 2026-03-09 approximately 5 days before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io. Thanks to the...

5.8AI score
Exploits0References2
OSV
OSV
added 2026/03/06 6:45 p.m.4 views

GHSA-9R75-G2CR-3H76 Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens

createWebhook in Vercel Workflow DevKit accepts a user-specified token parameter that serves as the credential for the public webhook endpoint /.well-known/workflow/v1/webhook/token. Official documentation recommended predictable token patterns, making it possible for an unauthenticated remote...

5.3CVSS6AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/06 6:45 p.m.8 views

Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens

createWebhook in Vercel Workflow DevKit accepts a user-specified token parameter that serves as the credential for the public webhook endpoint /.well-known/workflow/v1/webhook/token. Official documentation recommended predictable token patterns, making it possible for an unauthenticated remote...

6AI score
Exploits0References4Affected Software2
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/02 6:53 p.m.17 views

Security Bulletin: Components with known vulnerabilities in IBM QRadar Pre-Validation App for IBM QRadar SIEM

Summary Multiple components with known vulnerabilities were addressed in an IBM QRadar Pre-Validation App release Vulnerability Details CVEID:CVE-2025-32421 DESCRIPTION: Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-conditi...

9.1CVSS6.2AI score0.99621EPSS
Exploits73Affected Software1
The Hacker News
The Hacker News
added 2026/03/02 8:44 a.m.7 views

North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT

Cybersecurity researchers have disclosed a new iteration of the ongoing Contagious Interview campaign, where the North Korean threat actors have published a set of 26 malicious packages to the npm registry. The packages masquerade as developer tools, but contain functionality to extract the actua...

6.2AI score
Exploits0
Rows per page
Query Builder