Lucene search
K

1727 matches found

EUVD
EUVD
added yesterday4 views

EUVD-2026-41425

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each token without memoization, giving exponential worst-case complexity. The filepathglobpattern value...

8.7CVSS5.9AI score
Exploits0References4
RedHat Linux
RedHat Linux
added 2 days ago4 views

crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application

A flaw was found in the crypto/x509 package within Go golang. When verifying a certificate chain, excluded DNS Domain Name System constraints are not correctly applied to wildcard DNS Subject Alternative Names SANs if the case of the SAN differs from the constraint. This oversight could allow an...

8.8CVSS5.8AI score0.0034EPSS
Exploits0References8
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-40432

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard on its text-to-speech TTS generation endpoint packages/server/src/controllers/text-to-speech/index.ts, independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS...

6.9CVSS5.8AI score0.00182EPSS
Exploits0References3
NVD
NVD
added 3 days ago4 views

CVE-2026-56277

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard on its text-to-speech TTS generation endpoint packages/server/src/controllers/text-to-speech/index.ts, independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS...

6.9CVSS0.00182EPSS
Exploits0References2
NVD
NVD
added 3 days ago4 views

CVE-2025-71381

Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...

6.9CVSS0.0028EPSS
Exploits0References2
CVE
CVE
added 3 days ago5 views

CVE-2026-56277

Flowise (pre-3.1.2) exposes a security flaw in its text-to-speech (TTS) endpoint. The endpoint at packages/server/src/controllers/text-to-speech/index.ts sets Access-Control-Allow-Origin to a hardcoded wildcard (*), bypassing the server’s configured CORS policy and enabling cross-origin requests ...

6.9CVSS5.8AI score0.00182EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago21 views

CVE-2026-56277 Flowise - Hardcoded CORS Wildcard in TTS Endpoint

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard on its text-to-speech TTS generation endpoint packages/server/src/controllers/text-to-speech/index.ts, independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS...

6.9CVSS0.00182EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago21 views

CVE-2025-71381 Hono - Vary Header Injection in CORS Middleware

Hono before 4.10.2 fixed in 4.10.3 contains a flaw in its CORS middleware: when the origin is not set to "", the middleware copies the Vary header from the incoming request into the response. Because Vary is a response header that should be managed by the server, an attacker can supply arbitrary...

6.9CVSS0.0028EPSS
Exploits0References2
F5 Networks
F5 Networks
added 4 days ago6 views

K000161963: Golang vulnerability CVE-2025-61727

Security Advisory Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example . com does not prevent a leaf certificate from claiming the SAN .example.co...

6.5CVSS6.7AI score0.00274EPSS
Exploits0Affected Software2
RedhatCVE
RedhatCVE
added last week8 views

CVE-2026-48618

A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS Transport Layer Security hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security...

7.7CVSS6.9AI score0.00674EPSS
Exploits0References4
CVE
CVE
added last week12 views

CVE-2026-52781

OpenProject CVE-2026-52781 affects the open-source, web-based project management software. Prior to versions 17.3.3 and 17.4.1, the HTML sanitizer allowed elements to have unrestricted data-* attributes via a :data wildcard. An attacker could inject data-controller="poll-for-changes" into a work...

6.4CVSS5.9AI score0.0015EPSS
Exploits0References1
NVD
NVD
added last week7 views

CVE-2026-57231

Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no value can trick podman into passing that variable from the host into the container. This is made worse by the fact that using an asterisk wi...

7.5CVSS0.0026EPSS
Exploits0References2
CVE
CVE
added last week14 views

CVE-2026-57231

CVE-2026-57231 affects Podman versions 1.8.1 through 5.8.4, where a container image with an Env entry having only a key (and using the * wildcard) can cause host environment variables to be leaked into the container at run time. The PTSecurity document confirms the issue is addressed in Podman 5....

7.5CVSS5.8AI score0.0026EPSS
Exploits0References2
OSV
OSV
added 2026/06/26 2:16 a.m.3 views

ALPINE-CVE-2026-48618

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under...

6.5CVSS7.1AI score0.00674EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 2:16 a.m.9 views

CVE-2026-48618

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under...

7.7CVSS0.00674EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 1:14 a.m.177 views

CVE-2026-48618

CVE-2026-48618 is a Node.js TLS hostname handling issue involving unicode dot separator handling that can bypass wildcard-depth authentication due to resolver/verifier hostname normalization mismatches. Connected updates confirm the vulnerability affects Node.js 22, 24, and 26 across releases. SU...

7.7CVSS6.7AI score0.00674EPSS
Exploits0References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/06/26 1:14 a.m.9 views

CVE-2026-48618

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under...

7.7CVSS6.7AI score0.00674EPSS
Exploits0
EUVD
EUVD
added 2026/06/26 1:14 a.m.8 views

EUVD-2026-39610

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under...

7.7CVSS7.1AI score0.00674EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.11 views

PT-2026-52909

Name of the Vulnerable Software and Affected Versions RustFS version 1.0.0-beta.4 Description Authenticated users with PutObject permission on their own bucket can exploit a path traversal issue in the Snowball auto-extract feature to write arbitrary objects into buckets belonging to other users,...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/25 11:52 p.m.5 views

CVE-2026-53221

A flaw was found in the Linux kernel, specifically within the ip6vti component responsible for managing IPv6 tunnels. This vulnerability arises from an error in the vti6tnllookup function, which incorrectly matches network tunnels by failing to properly verify wildcard addresses during fallback...

9.8CVSS5.8AI score0.00559EPSS
Exploits0References4
Rows per page
Query Builder