683 matches found
Artica Web Proxy 4.30 - OS Command Injection
Artica Web Proxy 4.30 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via servicecmdspeform. id: CVE-2020-17505 info: name: Artica Web Proxy 4.30 - OS Command Injection author: dwisiswant0...
CVE-2026-49800
Integer overflow or wraparound in Windows Web Proxy Auto-Discovery Protocol WPAD allows an authorized attacker to elevate privileges locally...
CVE-2026-50480
Windows Web Proxy Auto-Discovery Protocol (WPAD) has a heap-based buffer overflow vulnerability (CVE-2026-50480) that can be exploited by an authenticated local attacker to achieve privilege escalation. The issue affects WPAD in Windows, with the root cause described as a heap-based overflow in W...
CVE-2026-49800 Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability
...
CVE-2026-49800 Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability
...
PT-2026-58455
Name of the Vulnerable Software and Affected Versions Windows affected versions not specified Description A heap-based buffer overflow exists in the Windows Web Proxy Auto-Discovery Protocol WPAD. This flaw allows an authorized attacker with local access to elevate their privileges on the system....
UBUNTU-CVE-2026-13316
A flaw has been found in foreman when HTTP parameters are modified in httpproxiescontroller and httpproxy files. Attackers can perform an SSRF attack and steal cloud metadata service on AWS/GCP/Azure environment through foreman component...
CVE-2026-12473 OHIF Viewers DICOM Server-Side request forgery
Two data sources DICOMWebProxy and DICOMJSON shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the...
CVE-2026-54665 Apache NiFi: Missing Validation for Proxy Host Headers
Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in...
EUVD-2026-38216
Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in...
DEBIAN-CVE-2026-54387
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the...
MAL-2026-5937 Malicious code in abuden21 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4db5b16c4a10377beb73341758a26afed16a44d377dc03009601f610dd289b22 The tarball ships auto-publish.sh, which iterates a hardcoded list of 90 unrelated package names imillegal1..N, ishowfeet, nottuff, abuden,...
Malicious code in nottuff15 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea629a411d1555cb4dbc80aa218539333aefce15e110ad0a5eaa16e4a58ab5f3 nottuff15 is one entry in a coordinated npm namespace-spam campaign. The tarball ships auto-publish.sh, a bash script that copies the package content...
EulerOS 2.0 SP13 : libsoup (EulerOS-SA-2026-2341)
According to the versions of the libsoup packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in...
Insertion of Sensitive Information Into Sent Data
Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain proxy credentials by inducing a redirect from an HTTP request sent...
GHSA-P92Q-9VQR-4J8V Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
Summary Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected UR...
PT-2026-49120
Root has patched GHSA-6x33-pw7p-hmpq in the @rootio/http-proxy package for Root:npm. Multiple fixed versions available...
libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment
A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential...
Malicious Package
Overview sixseven6 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertisin...
Malicious Package
Overview nottuff10 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertisin...