Search Vulnerabilities

Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration

PyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, data: schemes

Unintended Proxy or Intermediary ('Confused Deputy') in GitLab

OpenClaw < 2026.4.22 - Connector Endpoint Host Override via Workspace dotenv Files

OpenClaw 2026.4.5 through 2026.4.19 - MiniMax API Host Override via Workspace dotenv

pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy

GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayloa...

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting

OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History

go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Kofax Capture 6.0.0.0 Unauthenticated File Read/Write & SMB Coercion via .NET Remoting

Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .NET Remoting

Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`