Total
443 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1997 | 2 Hp, Hp Inc | 90 D9l18a, D9l18a Firmware, D9l20a and 87 more | 2026-02-12 | 5.3 Medium |
| Certain HP OfficeJet Pro printers may expose information if Cross‑Origin Resource Sharing (CORS) is misconfigured, potentially allowing unauthorized web origins to access device resource. CORS is disabled by default on Pro‑class devices and can only be enabled by an administrator through the Embedded Web Server (EWS). Keeping CORS disabled unless explicitly required helps ensure that only trusted solutions can interact with the device. | ||||
| CVE-2026-2345 | 1 Proctorio | 1 Secure Exam Proctor Extension | 2026-02-11 | 3.6 Low |
| Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute. | ||||
| CVE-2025-63386 | 2 Dify, Langgenius | 2 Dify, Dify | 2026-02-11 | 9.1 Critical |
| A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap. | ||||
| CVE-2026-22030 | 1 Shopify | 2 React-router, Remix-run\/react | 2026-02-05 | 6.5 Medium |
| React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0. | ||||
| CVE-2025-8074 | 1 Synology | 2 Beedrive, Beedrive For Desktop | 2026-02-04 | 5.6 Medium |
| Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors. | ||||
| CVE-2022-50975 | 2 Avibia, Innomic | 20 Avibialine Avlx1 Hd, Avibialine Avlx2 Hd, Avibialine Avlx4 Hd and 17 more | 2026-02-04 | 8.8 High |
| An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled. | ||||
| CVE-2025-67825 | 2 Gonitro, Microsoft | 2 Nitro Pdf Pro, Windows | 2026-02-02 | 5.5 Medium |
| An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subject. This could allow a document to present inconsistent signer details. The display logic was updated to ensure signer information consistently reflects the verified certificate identity. | ||||
| CVE-2022-50925 | 1 Prowise | 2 Prowise Reflect, Reflect | 2026-01-30 | 9.8 Critical |
| Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by sending specific WebSocket messages. | ||||
| CVE-2025-63388 | 2 Dify, Langgenius | 2 Dify, Dify | 2026-01-28 | 9.1 Critical |
| A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests. NOTE: the Supplier disputes this, providing the rationale of "sending requests with credentials does not provide any additional access compared to unauthenticated requests." | ||||
| CVE-2025-56648 | 1 Parceljs | 1 Parcel | 2026-01-26 | 6.5 Medium |
| npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them. | ||||
| CVE-2025-59957 | 1 Juniper | 14 Ex4600, Ex4650, Junos and 11 more | 2026-01-23 | 6.8 Medium |
| An Origin Validation Error vulnerability in an insufficient protected file of Juniper Networks Junos OS on EX4600 Series and QFX5000 Series allows an unauthenticated attacker with physical access to the device to create a backdoor which allows complete control of the system. When a device isn't configured with a root password, an attacker can modify a specific file. It's contents will be added to the Junos configuration of the device without being visible. This allows for the addition of any configuration unknown to the actual operator, which includes users, IP addresses and other configuration which could allow unauthorized access to the device. This exploit is persistent across reboots and even zeroization. The indicator of compromise is a modified /etc/config/<platform>-defaults[-flex].conf file. Review that file for unexpected configuration statements, or compare it to an unmodified version which can be extracted from the original Juniper software image file. For details on the extraction procedure please contact Juniper Technical Assistance Center (JTAC). To restore the device to a trusted initial configuration the system needs to be reinstalled from physical media. This issue affects Junos OS on EX4600 Series and QFX5000 Series: * All versions before 21.4R3, * 22.2 versions before 22.2R3-S3. | ||||
| CVE-2026-22794 | 1 Appsmith | 1 Appsmith | 2026-01-21 | 9.7 Critical |
| Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker’s domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93. | ||||
| CVE-2025-34291 | 1 Langflow | 1 Langflow | 2026-01-16 | 8.8 High |
| Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise. | ||||
| CVE-2026-22694 | 2 Aliasvault, Google | 2 Aliasvault, Android | 2026-01-16 | 6.1 Medium |
| AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3. | ||||
| CVE-2025-69259 | 2 Microsoft, Trendmicro | 3 Windows, Apex Central, Apexcentral | 2026-01-15 | 7.5 High |
| A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability.. | ||||
| CVE-2025-69260 | 2 Microsoft, Trendmicro | 3 Windows, Apex Central, Apexcentral | 2026-01-15 | 7.5 High |
| A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability. | ||||
| CVE-2025-69235 | 2 Naver, Navercorp | 2 Whale Browser, Whale | 2026-01-13 | 7.5 High |
| Whale browser before 4.35.351.12 allows an attacker to bypass the Same-Origin Policy in a sidebar environment. | ||||
| CVE-2025-14279 | 1 Mlflow | 1 Mlflow | 2026-01-13 | N/A |
| MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0. | ||||
| CVE-2026-20893 | 2 Fujitsu, Microsoft | 2 Security Solution Authconductor Client Basic V2, Windows | 2026-01-08 | N/A |
| Origin validation error issue exists in Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 and earlier. If this vulnerability is exploited, an attacker who can log in to the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege and/or modify the registry value. | ||||
| CVE-2025-7365 | 1 Redhat | 2 Build Keycloak, Keycloak | 2026-01-08 | 7.1 High |
| A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. | ||||