Common Weakness Enumeration

CWE-348

Allowed

Use of Less Trusted Source

Abstraction: Base · Status: Draft

The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

114 vulnerabilities reference this CWE, most recent first.

GHSA-QJ5Q-VMR2-GMQ3

Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 21:34
VLAI
Details

Raytha CMS allows an attacker to spoof X-Forwarded-Host or Host headers to attacker controlled domain. The attacker (who knows the victim's email address) can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser sends request to the attacker’s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim's password and take over the victim's account.

This issue was fixed in version 1.4.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-16T14:18:01Z",
    "severity": "HIGH"
  },
  "details": "Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim\u0027s email address)\u00a0can force the server to send an email with\u00a0password reset link pointing to the domain from spoofed header. When victim clicks the link,\u00a0browser sends request to the attacker\u2019s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim\u0027s password and take\u00a0over the victim\u0027s account.\n\nThis issue was fixed in version 1.4.6.",
  "id": "GHSA-qj5q-vmr2-gmq3",
  "modified": "2026-03-16T21:34:32Z",
  "published": "2026-03-16T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69240"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2026/03/CVE-2025-69236"
    },
    {
      "type": "WEB",
      "url": "https://raytha.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R277-F4FH-CWV4

Vulnerability from github – Published: 2025-09-08 06:30 – Updated: 2025-09-08 06:30
VLAI
Details

RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history. If an attacker can perform a man-in-the-middle attack, they may alter the values of HTTP requests, which could result in tampering with the operation history of the product’s management tool.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58422"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-08T05:15:34Z",
    "severity": "LOW"
  },
  "details": "RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history. If an attacker can perform a man-in-the-middle attack, they may alter the values of HTTP requests, which could result in tampering with the operation history of the product\u2019s management tool.",
  "id": "GHSA-r277-f4fh-cwv4",
  "modified": "2025-09-08T06:30:32Z",
  "published": "2025-09-08T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58422"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN75307484"
    },
    {
      "type": "WEB",
      "url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RFJ2-6V8R-3W64

Vulnerability from github – Published: 2026-07-10 00:31 – Updated: 2026-07-10 00:31
VLAI
Details

Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T22:17:09Z",
    "severity": "CRITICAL"
  },
  "details": "Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.",
  "id": "GHSA-rfj2-6v8r-3w64",
  "modified": "2026-07-10T00:31:27Z",
  "published": "2026-07-10T00:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58122"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nesquena/hermes-webui/pull/3758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nesquena/hermes-webui/commit/70596e6993be0d4cee083c1c1a86f5e7ad5d57b7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.51.307"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/hermes-webui-authentication-bypass-via-x-forwarded-for-header-spoofing"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RJR7-JGGH-PGCP

Vulnerability from github – Published: 2026-06-25 18:19 – Updated: 2026-06-25 18:19
VLAI
Summary
chi's RealIP Middleware allows IP spoofing via unvalidated X-Forwarded-For header
Details

Summary

realip middleware in go-chi/chi trusts headers like x-forwarded-for without checking them, so attackers can fake their ip and bypass rate limits or access controls

Details

the vuln is in middleware/realip.go , the realIP() function pulls IPs straight from client headers and replaces r.RemoteAddr without checking if the request came from a trusted proxy

func realIP(r *http.Request) string {
    var ip string
    if tcip := r.Header.Get(trueClientIP); tcip != "" {
        ip = tcip  // controlled by attacker
    } else if xrip := r.Header.Get(xRealIP); xrip != "" {
        ip = xrip  // controlled by attacker
    } else if xff := r.Header.Get(xForwardedFor); xff != "" {
        ip, _, _ = strings.Cut(xff, ",")  // controlled by attacker
    }
    // ...
    return ip
}

no trusted proxy cidr check in place, any client can send these headers

PoC

create a server with chi and use realip middleware

package main

import (
    "fmt"
    "net/http"
    "github.com/go-chi/chi/v5"
    "github.com/go-chi/chi/v5/middleware"
)

func main() {
    r := chi.NewRouter()
    r.Use(middleware.RealIP)

    r.Get("/admin", func(w http.ResponseWriter, r *http.Request) {
        // ip-based access control got bypassed
        if r.RemoteAddr == "127.0.0.1" {
            w.Write([]byte("SECRET ADMIN DATA"))
            return
        }
        http.Error(w, "Forbidden", 403)
    })

    http.ListenAndServe(":8080", r)
}

spoofed the ip to bypass access control

curl -H "X-Forwarded-For: 127.0.0.1" http://localhost:8080/admin

Impact

  • ip-based access control bypass lets attackers reach restricted endpoints
  • rate limiting bypass lets attackers avoid limits by rotating spoofed ips
  • audit logs show fake ips picked by attacker instead of real ones
  • attackers can get around geo ip restrictions

Remediation Recommendation

validate proxy cidr first before trusting forwarded ip headers

// add your reverse proxy ip addresses here
var trustedProxies = []net.IPNet{
       {IP: net.ParseIP("10.0.0.0"), Mask: net.CIDRMask(8, 32)},
    {IP: net.ParseIP("172.16.0.0"), Mask: net.CIDRMask(12, 32)},
    {IP: net.ParseIP("192.168.0.0"), Mask: net.CIDRMask(16, 32)},
}

func isTrustedProxy(ip net.IP) bool {
    for _, cidr := range trustedProxies {
        if cidr.Contains(ip) {
            return true
        }
    }
    return false
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-chi/chi/middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-chi/chi/v2/middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-chi/chi/v3/middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-chi/chi/v4/middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-chi/chi/v5/middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-348"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T18:19:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nrealip middleware in go-chi/chi trusts headers like x-forwarded-for without checking them, so attackers can fake their ip and bypass rate limits or access controls\n\n### Details\n\nthe vuln is in middleware/realip.go , the realIP() function pulls IPs straight from client headers and replaces r.RemoteAddr without checking if the request came from a trusted proxy\n\n```go\nfunc realIP(r *http.Request) string {\n    var ip string\n    if tcip := r.Header.Get(trueClientIP); tcip != \"\" {\n        ip = tcip  // controlled by attacker\n    } else if xrip := r.Header.Get(xRealIP); xrip != \"\" {\n        ip = xrip  // controlled by attacker\n    } else if xff := r.Header.Get(xForwardedFor); xff != \"\" {\n        ip, _, _ = strings.Cut(xff, \",\")  // controlled by attacker\n    }\n    // ...\n    return ip\n}\n```\n\nno trusted proxy cidr check in place, any client can send these headers\n\n### PoC\n\ncreate a server with chi and use realip middleware\n\n```go\npackage main\n\nimport (\n    \"fmt\"\n    \"net/http\"\n    \"github.com/go-chi/chi/v5\"\n    \"github.com/go-chi/chi/v5/middleware\"\n)\n\nfunc main() {\n    r := chi.NewRouter()\n    r.Use(middleware.RealIP)\n\n    r.Get(\"/admin\", func(w http.ResponseWriter, r *http.Request) {\n        // ip-based access control got bypassed\n        if r.RemoteAddr == \"127.0.0.1\" {\n            w.Write([]byte(\"SECRET ADMIN DATA\"))\n            return\n        }\n        http.Error(w, \"Forbidden\", 403)\n    })\n\n    http.ListenAndServe(\":8080\", r)\n}\n```\n\nspoofed the ip to bypass access control\n\n```bash\ncurl -H \"X-Forwarded-For: 127.0.0.1\" http://localhost:8080/admin\n```\n\n\n### Impact\n\n- ip-based access control bypass lets attackers reach restricted endpoints\n- rate limiting bypass lets attackers avoid limits by rotating spoofed ips\n- audit logs show fake ips picked by attacker instead of real ones\n- attackers can get around geo ip restrictions\n\n## Remediation Recommendation\n\nvalidate proxy cidr first before trusting forwarded ip headers\n\n```go\n// add your reverse proxy ip addresses here\nvar trustedProxies = []net.IPNet{\n       {IP: net.ParseIP(\"10.0.0.0\"), Mask: net.CIDRMask(8, 32)},\n    {IP: net.ParseIP(\"172.16.0.0\"), Mask: net.CIDRMask(12, 32)},\n    {IP: net.ParseIP(\"192.168.0.0\"), Mask: net.CIDRMask(16, 32)},\n}\n\nfunc isTrustedProxy(ip net.IP) bool {\n    for _, cidr := range trustedProxies {\n        if cidr.Contains(ip) {\n            return true\n        }\n    }\n    return false\n}\n```",
  "id": "GHSA-rjr7-jggh-pgcp",
  "modified": "2026-06-25T18:19:15Z",
  "published": "2026-06-25T18:19:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-chi/chi/security/advisories/GHSA-rjr7-jggh-pgcp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-chi/chi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-chi/chi/releases/tag/v5.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "chi\u0027s RealIP Middleware allows IP spoofing via unvalidated X-Forwarded-For header"
}

GHSA-RVMH-678C-2F4F

Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31
VLAI
Details

A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2.0 through 7.2.1 allows an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T17:15:38Z",
    "severity": "HIGH"
  },
  "details": "A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2.0 through 7.2.1 allows an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets.",
  "id": "GHSA-rvmh-678c-2f4f",
  "modified": "2024-05-14T18:31:02Z",
  "published": "2024-05-14T18:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23105"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-24-021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V88M-G39W-9RGH

Vulnerability from github – Published: 2026-04-02 15:31 – Updated: 2026-04-02 15:31
VLAI
Details

Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in document_base_url parameter is in any way related to the actual address of the calling web application. The URL address specified in document_base_url parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction.

This issue was fixed in version 0.0.17.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26927"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-02T14:16:25Z",
    "severity": "MODERATE"
  },
  "details": "Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\nIn Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u00a0Szafir SDK Web browser addon.\u00a0No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u00a0in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker\u0027s website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option before, the prompt won\u0027t be shown and the application will be called in the context of URL provided by the attacker\u00a0without any interaction.\n\nThis issue was fixed in version 0.0.17.4.",
  "id": "GHSA-v88m-g39w-9rgh",
  "modified": "2026-04-02T15:31:39Z",
  "published": "2026-04-02T15:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26927"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2026/04/CVE-2026-26927"
    },
    {
      "type": "WEB",
      "url": "https://www.elektronicznypodpis.pl"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VJH7-5R6X-XH6G

Vulnerability from github – Published: 2023-07-17 14:36 – Updated: 2024-12-12 22:29
VLAI
Summary
CasaOS Gateway vulnerable to incorrect identification of source IP addresses
Details

Impact

Unauthenticated attackers can execute arbitrary commands as root on CasaOS instances.

Patches

The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.

Workarounds

Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.

References

  • 391dd7f
  • https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/IceWhaleTech/CasaOS-Gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-37265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-348"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-17T14:36:09Z",
    "nvd_published_at": "2023-07-17T21:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nUnauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances.\n\n### Patches\n\nThe problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.\n\n### Workarounds\n\nUsers should upgrade to CasaOS 0.4.4. If they can\u0027t, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. \n\n### References\n\n- 391dd7f\n- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/",
  "id": "GHSA-vjh7-5r6x-xh6g",
  "modified": "2024-12-12T22:29:30Z",
  "published": "2023-07-17T14:36:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37265"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/IceWhaleTech/CasaOS-Gateway"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2023-1932"
    },
    {
      "type": "WEB",
      "url": "https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CasaOS Gateway vulnerable to incorrect identification of source IP addresses"
}

GHSA-VXPP-M9VW-RJCX

Vulnerability from github – Published: 2025-02-03 18:30 – Updated: 2025-02-20 00:32
VLAI
Details

PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-03T18:15:36Z",
    "severity": "MODERATE"
  },
  "details": "PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection.",
  "id": "GHSA-vxpp-m9vw-rjcx",
  "modified": "2025-02-20T00:32:02Z",
  "published": "2025-02-03T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54840"
    },
    {
      "type": "WEB",
      "url": "https://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-4.htm#Securitybugfixes"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Hurdano/8244855ef8ec364fd98a2693de6e30c5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W38V-JXMP-5HF2

Vulnerability from github – Published: 2024-03-18 15:30 – Updated: 2025-03-10 21:31
VLAI
Details

Unitronics Unistream Unilogic – Versions prior to 1.35.227 -

CWE-348: Use of Less Trusted Source may allow RCE

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-18T14:15:09Z",
    "severity": "HIGH"
  },
  "details": "Unitronics Unistream Unilogic \u2013 Versions prior to 1.35.227 -\n\nCWE-348: Use of Less Trusted Source may allow RCE",
  "id": "GHSA-w38v-jxmp-5hf2",
  "modified": "2025-03-10T21:31:08Z",
  "published": "2024-03-18T15:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27773"
    },
    {
      "type": "WEB",
      "url": "https://claroty.com/team82/blog/new-critical-vulnerabilities-in-unitronics-unistream-devices-uncovered"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WGPF-JWQJ-8H8P

Vulnerability from github – Published: 2026-06-16 14:32 – Updated: 2026-06-16 14:32
VLAI
Summary
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Details

Summary

On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value.

Details

A repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list — for example IP restriction that walks the X-Forwarded-For chain, or auditing based on Forwarded/Via hops — receives incomplete data. The API Gateway adapter already appends repeated values and is not affected.

This issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once.

Impact

Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "hono"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.12.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54289"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T14:32:31Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nOn AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with `Headers.set` instead of `Headers.append`, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as `X-Forwarded-For`, `Forwarded`, and `Via` are silently truncated to a single value.\n\n### Details\n\nA repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list \u2014 for example IP restriction that walks the `X-Forwarded-For` chain, or auditing based on `Forwarded`/`Via` hops \u2014 receives incomplete data. The API Gateway adapter already appends repeated values and is not affected.\n\nThis issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once.\n\n### Impact\n\nRequest middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the `X-Forwarded-For` chain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.",
  "id": "GHSA-wgpf-jwqj-8h8p",
  "modified": "2026-06-16T14:32:31Z",
  "published": "2026-06-16T14:32:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/security/advisories/GHSA-wgpf-jwqj-8h8p"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/honojs/hono"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest"
}

No mitigation information available for this CWE.

CAPEC-141: Cache Poisoning

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

CAPEC-142: DNS Cache Poisoning

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.