Weak Password Recovery Mechanism for Forgotten Password

Overview Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the ApplyXForwarded process. An attacker can gain unauthorized access to user accounts and bypass two-factor authentication by injecting a malicious X-Forwarded-Host header...

PT-2026-34172

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By...

GHSA-PHHV-63FH-RRC8 Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation

Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...

CVE-2026-26234

JUNG Smart Visu Server 1.1.1050 contains a request header manipulation vulnerability that allows unauthenticated attackers to override request URLs by injecting arbitrary values in the X-Forwarded-Host header. Attackers can manipulate proxied requests to generate tainted responses, enabling cache...

EUVD-2018-8629

Malware in sbrugna...

EUVD-2022-2728

Malicious code in bioql PyPI...

EUVD-2024-3268

Malicious code in bioql PyPI...

CVE-2021-29479

Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a user supplied X-Forwarded-Host header can be used to perform cache poisoning of a cache fronting a Ratpack server if the cache key does not include the X-Forwarded-Host header as a cache key. Users are only vulnerab...

Medium: pcs

Issue Overview: Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host XFH header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrar...

Amazon Linux 2 : pcs (ALAS-2025-2853)

The version of pcs installed on the remote host is prior to 0.9.169-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2853 advisory. Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the...

The vulnerability of the Ruby Sinatra web application development framework, related to errors in handling input data, allows attackers to compromise the confidentiality and integrity of protected information.

The vulnerability of the Ruby Sinatra web application development framework is related to errors in processing input data. Exploiting this vulnerability allows an attacker to compromise the confidentiality and integrity of protected information through the X-Forwarded-Host header...

Moderate: Red Hat Security Advisory: pcs security update

An update for pcs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CV...

ALSA-2024:10987 Moderate: pcs security update

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fixes: sinatra: Open Redirect Vulnerability in Sinatra via X-Forwarded-Host Header CVE-2024-21510 For more details about the security issues, including the impact, a CVSS score,...

CVE-2024-21510

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host XFH header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into...

Server-Side Request Forgery in github.com/greenpau/caddy-security

All versions of the package github.com/greenpau/caddy-security are vulnerable to Server-side Request Forgery SSRF via X-Forwarded-Host header manipulation. An attacker can expose sensitive information, interact with internal services, or exploit other vulnerabilities within the network by...

CVE-2024-21498

CVE-2024-21498 : SSRF in the Go package github.com/greenpau/caddy-security across all versions, caused by manipulation of the X-Forwarded-Host header. Impact: attacker may access sensitive data or reach internal services. Remediation status: no concrete fix version is identified in the provided d...

ZITADEL Authorization Issues Vulnerability

ZITADEL is a modern open source alternative to Auth0, Firebase Auth, AWS Cognito, and Keycloak built for the age of containers and serverless in the Swiss ZITADEL open source. An authorization issue vulnerability exists in ZITADEL versions prior to 2.41.6, prior to 2.40.10, and prior to 2.39.9,...

Mozilla: DOS via cache poisoning on [developer.mozilla.org]

A vulnerability was discovered on the developer.mozilla.org website that allowed an attacker to perform a denial-of-service DoS attack by adding an "X-Forwarded-Host" header with a value causing a 404 error. The website's cache configuration allowed the error response to be saved and served to...

CVE-2022-37041

An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite ZCS 8.8.15 and 9.0. The value of the X-Forwarded-Host header overwrites the value of the Host header in proxied requests. The value of X-Forwarded-Host header is not checked against the whitelist of...

PT-2022-23765 · Zimbra · Zimbra Collaboration Suite

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration Suite versions 8.8.15 through 9.0 Description: An issue was discovered in ProxyServlet.java in the /proxy servlet. The value of the X-Forwarded-Host header overwrites the value of the Host header in proxied requests. The...