Total
404 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-57965 | 1 Axios | 1 Axios | 2025-09-19 | N/A | N/A |
| In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute('href',href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability. | |||||
| CVE-2025-24010 | 1 Vitejs | 1 Vite | 2025-09-19 | N/A | 6.5 MEDIUM |
| Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4.5.6. | |||||
| CVE-2024-51037 | 1 Kodcloud | 1 Kodbox | 2025-09-16 | N/A | 5.3 MEDIUM |
| An issue in kodbox v.1.52.04 and before allows a remote attacker to obtain sensitive information via the captcha feature in the password reset function. | |||||
| CVE-2025-51605 | 1 Shopizer | 1 Shopizer | 2025-09-12 | N/A | 8.1 HIGH |
| An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make authenticated cross-origin requests and read sensitive responses. | |||||
| CVE-2025-9636 | 1 Pgadmin | 1 Pgadmin 4 | 2025-09-11 | N/A | 7.9 HIGH |
| pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation. | |||||
| CVE-2025-10193 | 2025-09-11 | N/A | N/A | ||
| DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user being enticed to visit a malicious website and spend sufficient time there for DNS rebinding to succeed. | |||||
| CVE-2025-5824 | 1 Autel | 18 Maxicharger Ac Elite Business C50, Maxicharger Ac Elite Business C50 Firmware, Maxicharger Ac Pro and 15 more | 2025-09-10 | N/A | 7.5 HIGH |
| Autel MaxiCharger AC Wallbox Commercial Origin Validation Error Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Autel MaxiCharger AC Wallbox Commercial. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability. The specific flaw exists within the handling of bluetooth pairing requests. The issue results from insufficient validation of the origin of commands. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26353. | |||||
| CVE-2024-13068 | 2025-09-04 | N/A | 7.3 HIGH | ||
| Origin Validation Error vulnerability in Akinsoft LimonDesk allows Forceful Browsing.This issue affects LimonDesk: from s1.02.14 before v1.02.17. | |||||
| CVE-2024-12973 | 2025-09-02 | N/A | 4.7 MEDIUM | ||
| Origin Validation Error vulnerability in Akinsoft OctoCloud allows HTTP Response Splitting, CAPEC - 87 - Forceful Browsing.This issue affects OctoCloud: from s1.09.01 before v1.11.01. | |||||
| CVE-2025-47909 | 2025-08-29 | N/A | 7.3 HIGH | ||
| Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin header is checked with sameOrigin against a synthetic URL. However, if a host is added to TrustedOrigins, both its HTTP and HTTPS origins will be allowed, because the schema of the synthetic URL is ignored and only the host is checked. For example, if an application is hosted on https://example.com and adds example.net to TrustedOrigins, a network attacker can serve a form at http://example.net to perform the attack. Applications should migrate to net/http.CrossOriginProtection, introduced in Go 1.25. If that is not an option, a backport is available as a module at filippo.io/csrf, and a drop-in replacement for the github.com/gorilla/csrf API is available at filippo.io/csrf/gorilla. | |||||
| CVE-2024-55948 | 1 Discourse | 1 Discourse | 2025-08-26 | N/A | 8.2 HIGH |
| Discourse is an open source platform for community discussion. In affected versions an attacker can make craft an XHR request to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value. | |||||
| CVE-2025-23023 | 1 Discourse | 1 Discourse | 2025-08-26 | N/A | 8.2 HIGH |
| Discourse is an open source platform for community discussion. In affected versions an attacker can carefully craft a request with the right request headers to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade may disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value. | |||||
| CVE-2024-55917 | 1 Trendmicro | 1 Apex One | 2025-08-25 | N/A | 7.8 HIGH |
| An origin validation error vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2025-7365 | 1 Redhat | 1 Keycloak | 2025-08-21 | N/A | 5.4 MEDIUM |
| A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. | |||||
| CVE-2025-8881 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-08-14 | N/A | 6.5 MEDIUM |
| Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2024-28883 | 1 F5 | 2 Big-ip Access Policy Manager, Big-ip Access Policy Manager Client | 2025-08-06 | N/A | 7.4 HIGH |
| An origin validation vulnerability exists in BIG-IP APM browser network access VPN client for Windows, macOS and Linux which may allow an attacker to bypass F5 endpoint inspection. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2024-11045 | 1 Automatic1111 | 1 Stable-diffusion-webui | 2025-08-05 | N/A | 9.6 CRITICAL |
| A Cross-Site WebSocket Hijacking (CSWSH) vulnerability in automatic1111/stable-diffusion-webui version 1.10.0 allows an attacker to clone a malicious server extension from a GitHub repository. The vulnerability arises from the lack of proper validation on WebSocket connections at ws://127.0.0.1:7860/queue/join, enabling unauthorized actions on the server. This can lead to unauthorized cloning of server extensions, execution of malicious scripts, data exfiltration, and potential denial of service (DoS). | |||||
| CVE-2024-8024 | 1 Youdao | 1 Qanything | 2025-08-01 | N/A | 7.5 HIGH |
| A CORS misconfiguration vulnerability exists in netease-youdao/qanything version 1.4.1. This vulnerability allows an attacker to bypass the Same-Origin Policy, potentially leading to sensitive information exposure. Properly implementing a restrictive CORS policy is crucial to prevent such security issues. | |||||
| CVE-2024-5549 | 1 Stitionai | 1 Devika | 2025-07-15 | N/A | 8.1 HIGH |
| A CORS misconfiguration in the stitionai/devika repository allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability also enables attackers to perform actions on behalf of the user, such as deleting projects or sending messages. The issue arises from the lack of proper origin validation, allowing unauthorized cross-origin requests to be executed. The vulnerability is present in all versions of the repository, as no fixed version has been specified. | |||||
| CVE-2024-10956 | 1 Binary-husky | 1 Gpt Academic | 2025-07-15 | N/A | 7.1 HIGH |
| GPT Academy version 3.83 in the binary-husky/gpt_academic repository is vulnerable to Cross-Site WebSocket Hijacking (CSWSH). This vulnerability allows an attacker to hijack an existing WebSocket connection between the victim's browser and the server, enabling unauthorized actions such as deleting conversation history without the victim's consent. The issue arises due to insufficient WebSocket authentication and lack of origin validation. | |||||