CWE-348
AllowedUse of Less Trusted Source
Abstraction: Base · Status: Draft
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
114 vulnerabilities reference this CWE, most recent first.
GHSA-QJ5Q-VMR2-GMQ3
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 21:34Raytha CMS allows an attacker to spoof X-Forwarded-Host or Host headers to attacker controlled domain. The attacker (who knows the victim's email address) can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser sends request to the attacker’s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim's password and take over the victim's account.
This issue was fixed in version 1.4.6.
{
"affected": [],
"aliases": [
"CVE-2025-69240"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:18:01Z",
"severity": "HIGH"
},
"details": "Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim\u0027s email address)\u00a0can force the server to send an email with\u00a0password reset link pointing to the domain from spoofed header. When victim clicks the link,\u00a0browser sends request to the attacker\u2019s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim\u0027s password and take\u00a0over the victim\u0027s account.\n\nThis issue was fixed in version 1.4.6.",
"id": "GHSA-qj5q-vmr2-gmq3",
"modified": "2026-03-16T21:34:32Z",
"published": "2026-03-16T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69240"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2026/03/CVE-2025-69236"
},
{
"type": "WEB",
"url": "https://raytha.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R277-F4FH-CWV4
Vulnerability from github – Published: 2025-09-08 06:30 – Updated: 2025-09-08 06:30RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history. If an attacker can perform a man-in-the-middle attack, they may alter the values of HTTP requests, which could result in tampering with the operation history of the product’s management tool.
{
"affected": [],
"aliases": [
"CVE-2025-58422"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-08T05:15:34Z",
"severity": "LOW"
},
"details": "RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history. If an attacker can perform a man-in-the-middle attack, they may alter the values of HTTP requests, which could result in tampering with the operation history of the product\u2019s management tool.",
"id": "GHSA-r277-f4fh-cwv4",
"modified": "2025-09-08T06:30:32Z",
"published": "2025-09-08T06:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58422"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN75307484"
},
{
"type": "WEB",
"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RFJ2-6V8R-3W64
Vulnerability from github – Published: 2026-07-10 00:31 – Updated: 2026-07-10 00:31Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.
{
"affected": [],
"aliases": [
"CVE-2026-58122"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T22:17:09Z",
"severity": "CRITICAL"
},
"details": "Hermes WebUI before 0.51.307 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent local-origin IP restrictions on onboarding endpoints by supplying a spoofed X-Forwarded-For header with a loopback address. Attackers can exploit this bypass to perform server-side request forgery against internal services including cloud metadata endpoints, overwrite LLM provider configuration and API keys with attacker-controlled values, or initiate OAuth device-code flows to obtain persistent access tokens stored in auth.json.",
"id": "GHSA-rfj2-6v8r-3w64",
"modified": "2026-07-10T00:31:27Z",
"published": "2026-07-10T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58122"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/pull/3758"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/commit/70596e6993be0d4cee083c1c1a86f5e7ad5d57b7"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.51.307"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/hermes-webui-authentication-bypass-via-x-forwarded-for-header-spoofing"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RJR7-JGGH-PGCP
Vulnerability from github – Published: 2026-06-25 18:19 – Updated: 2026-06-25 18:19Summary
realip middleware in go-chi/chi trusts headers like x-forwarded-for without checking them, so attackers can fake their ip and bypass rate limits or access controls
Details
the vuln is in middleware/realip.go , the realIP() function pulls IPs straight from client headers and replaces r.RemoteAddr without checking if the request came from a trusted proxy
func realIP(r *http.Request) string {
var ip string
if tcip := r.Header.Get(trueClientIP); tcip != "" {
ip = tcip // controlled by attacker
} else if xrip := r.Header.Get(xRealIP); xrip != "" {
ip = xrip // controlled by attacker
} else if xff := r.Header.Get(xForwardedFor); xff != "" {
ip, _, _ = strings.Cut(xff, ",") // controlled by attacker
}
// ...
return ip
}
no trusted proxy cidr check in place, any client can send these headers
PoC
create a server with chi and use realip middleware
package main
import (
"fmt"
"net/http"
"github.com/go-chi/chi/v5"
"github.com/go-chi/chi/v5/middleware"
)
func main() {
r := chi.NewRouter()
r.Use(middleware.RealIP)
r.Get("/admin", func(w http.ResponseWriter, r *http.Request) {
// ip-based access control got bypassed
if r.RemoteAddr == "127.0.0.1" {
w.Write([]byte("SECRET ADMIN DATA"))
return
}
http.Error(w, "Forbidden", 403)
})
http.ListenAndServe(":8080", r)
}
spoofed the ip to bypass access control
curl -H "X-Forwarded-For: 127.0.0.1" http://localhost:8080/admin
Impact
- ip-based access control bypass lets attackers reach restricted endpoints
- rate limiting bypass lets attackers avoid limits by rotating spoofed ips
- audit logs show fake ips picked by attacker instead of real ones
- attackers can get around geo ip restrictions
Remediation Recommendation
validate proxy cidr first before trusting forwarded ip headers
// add your reverse proxy ip addresses here
var trustedProxies = []net.IPNet{
{IP: net.ParseIP("10.0.0.0"), Mask: net.CIDRMask(8, 32)},
{IP: net.ParseIP("172.16.0.0"), Mask: net.CIDRMask(12, 32)},
{IP: net.ParseIP("192.168.0.0"), Mask: net.CIDRMask(16, 32)},
}
func isTrustedProxy(ip net.IP) bool {
for _, cidr := range trustedProxies {
if cidr.Contains(ip) {
return true
}
}
return false
}
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-chi/chi/middleware"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-chi/chi/v2/middleware"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-chi/chi/v3/middleware"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.3.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-chi/chi/v4/middleware"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-chi/chi/v5/middleware"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-348"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T18:19:15Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nrealip middleware in go-chi/chi trusts headers like x-forwarded-for without checking them, so attackers can fake their ip and bypass rate limits or access controls\n\n### Details\n\nthe vuln is in middleware/realip.go , the realIP() function pulls IPs straight from client headers and replaces r.RemoteAddr without checking if the request came from a trusted proxy\n\n```go\nfunc realIP(r *http.Request) string {\n var ip string\n if tcip := r.Header.Get(trueClientIP); tcip != \"\" {\n ip = tcip // controlled by attacker\n } else if xrip := r.Header.Get(xRealIP); xrip != \"\" {\n ip = xrip // controlled by attacker\n } else if xff := r.Header.Get(xForwardedFor); xff != \"\" {\n ip, _, _ = strings.Cut(xff, \",\") // controlled by attacker\n }\n // ...\n return ip\n}\n```\n\nno trusted proxy cidr check in place, any client can send these headers\n\n### PoC\n\ncreate a server with chi and use realip middleware\n\n```go\npackage main\n\nimport (\n \"fmt\"\n \"net/http\"\n \"github.com/go-chi/chi/v5\"\n \"github.com/go-chi/chi/v5/middleware\"\n)\n\nfunc main() {\n r := chi.NewRouter()\n r.Use(middleware.RealIP)\n\n r.Get(\"/admin\", func(w http.ResponseWriter, r *http.Request) {\n // ip-based access control got bypassed\n if r.RemoteAddr == \"127.0.0.1\" {\n w.Write([]byte(\"SECRET ADMIN DATA\"))\n return\n }\n http.Error(w, \"Forbidden\", 403)\n })\n\n http.ListenAndServe(\":8080\", r)\n}\n```\n\nspoofed the ip to bypass access control\n\n```bash\ncurl -H \"X-Forwarded-For: 127.0.0.1\" http://localhost:8080/admin\n```\n\n\n### Impact\n\n- ip-based access control bypass lets attackers reach restricted endpoints\n- rate limiting bypass lets attackers avoid limits by rotating spoofed ips\n- audit logs show fake ips picked by attacker instead of real ones\n- attackers can get around geo ip restrictions\n\n## Remediation Recommendation\n\nvalidate proxy cidr first before trusting forwarded ip headers\n\n```go\n// add your reverse proxy ip addresses here\nvar trustedProxies = []net.IPNet{\n {IP: net.ParseIP(\"10.0.0.0\"), Mask: net.CIDRMask(8, 32)},\n {IP: net.ParseIP(\"172.16.0.0\"), Mask: net.CIDRMask(12, 32)},\n {IP: net.ParseIP(\"192.168.0.0\"), Mask: net.CIDRMask(16, 32)},\n}\n\nfunc isTrustedProxy(ip net.IP) bool {\n for _, cidr := range trustedProxies {\n if cidr.Contains(ip) {\n return true\n }\n }\n return false\n}\n```",
"id": "GHSA-rjr7-jggh-pgcp",
"modified": "2026-06-25T18:19:15Z",
"published": "2026-06-25T18:19:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-chi/chi/security/advisories/GHSA-rjr7-jggh-pgcp"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-chi/chi"
},
{
"type": "WEB",
"url": "https://github.com/go-chi/chi/releases/tag/v5.3.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "chi\u0027s RealIP Middleware allows IP spoofing via unvalidated X-Forwarded-For header"
}
GHSA-RVMH-678C-2F4F
Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2.0 through 7.2.1 allows an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets.
{
"affected": [],
"aliases": [
"CVE-2024-23105"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T17:15:38Z",
"severity": "HIGH"
},
"details": "A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2.0 through 7.2.1 allows an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets.",
"id": "GHSA-rvmh-678c-2f4f",
"modified": "2024-05-14T18:31:02Z",
"published": "2024-05-14T18:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23105"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-24-021"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V88M-G39W-9RGH
Vulnerability from github – Published: 2026-04-02 15:31 – Updated: 2026-04-02 15:31Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.
In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in document_base_url parameter is in any way related to the actual address of the calling web application. The URL address specified in document_base_url parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction.
This issue was fixed in version 0.0.17.4.
{
"affected": [],
"aliases": [
"CVE-2026-26927"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-02T14:16:25Z",
"severity": "MODERATE"
},
"details": "Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\nIn Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u00a0Szafir SDK Web browser addon.\u00a0No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u00a0in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker\u0027s website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option before, the prompt won\u0027t be shown and the application will be called in the context of URL provided by the attacker\u00a0without any interaction.\n\nThis issue was fixed in version 0.0.17.4.",
"id": "GHSA-v88m-g39w-9rgh",
"modified": "2026-04-02T15:31:39Z",
"published": "2026-04-02T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26927"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/04/CVE-2026-26927"
},
{
"type": "WEB",
"url": "https://www.elektronicznypodpis.pl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VJH7-5R6X-XH6G
Vulnerability from github – Published: 2023-07-17 14:36 – Updated: 2024-12-12 22:29Impact
Unauthenticated attackers can execute arbitrary commands as root on CasaOS instances.
Patches
The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.
Workarounds
Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
References
- 391dd7f
- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/IceWhaleTech/CasaOS-Gateway"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-37265"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-348"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-17T14:36:09Z",
"nvd_published_at": "2023-07-17T21:15:09Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nUnauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances.\n\n### Patches\n\nThe problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.\n\n### Workarounds\n\nUsers should upgrade to CasaOS 0.4.4. If they can\u0027t, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. \n\n### References\n\n- 391dd7f\n- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/",
"id": "GHSA-vjh7-5r6x-xh6g",
"modified": "2024-12-12T22:29:30Z",
"published": "2023-07-17T14:36:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37265"
},
{
"type": "WEB",
"url": "https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7"
},
{
"type": "PACKAGE",
"url": "https://github.com/IceWhaleTech/CasaOS-Gateway"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2023-1932"
},
{
"type": "WEB",
"url": "https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "CasaOS Gateway vulnerable to incorrect identification of source IP addresses"
}
GHSA-VXPP-M9VW-RJCX
Vulnerability from github – Published: 2025-02-03 18:30 – Updated: 2025-02-20 00:32PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection.
{
"affected": [],
"aliases": [
"CVE-2024-54840"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-03T18:15:36Z",
"severity": "MODERATE"
},
"details": "PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection.",
"id": "GHSA-vxpp-m9vw-rjcx",
"modified": "2025-02-20T00:32:02Z",
"published": "2025-02-03T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54840"
},
{
"type": "WEB",
"url": "https://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-4.htm#Securitybugfixes"
},
{
"type": "WEB",
"url": "https://gist.github.com/Hurdano/8244855ef8ec364fd98a2693de6e30c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W38V-JXMP-5HF2
Vulnerability from github – Published: 2024-03-18 15:30 – Updated: 2025-03-10 21:31Unitronics Unistream Unilogic – Versions prior to 1.35.227 -
CWE-348: Use of Less Trusted Source may allow RCE
{
"affected": [],
"aliases": [
"CVE-2024-27773"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-18T14:15:09Z",
"severity": "HIGH"
},
"details": "Unitronics Unistream Unilogic \u2013 Versions prior to 1.35.227 -\n\nCWE-348: Use of Less Trusted Source may allow RCE",
"id": "GHSA-w38v-jxmp-5hf2",
"modified": "2025-03-10T21:31:08Z",
"published": "2024-03-18T15:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27773"
},
{
"type": "WEB",
"url": "https://claroty.com/team82/blog/new-critical-vulnerabilities-in-unitronics-unistream-devices-uncovered"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WGPF-JWQJ-8H8P
Vulnerability from github – Published: 2026-06-16 14:32 – Updated: 2026-06-16 14:32Summary
On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value.
Details
A repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list — for example IP restriction that walks the X-Forwarded-For chain, or auditing based on Forwarded/Via hops — receives incomplete data. The API Gateway adapter already appends repeated values and is not affected.
This issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once.
Impact
Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hono"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.12.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54289"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T14:32:31Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nOn AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with `Headers.set` instead of `Headers.append`, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as `X-Forwarded-For`, `Forwarded`, and `Via` are silently truncated to a single value.\n\n### Details\n\nA repeated request header carries an ordered list of values. The adapter iterates the list but overwrites on each step, keeping only the final value. Middleware that depends on the full list \u2014 for example IP restriction that walks the `X-Forwarded-For` chain, or auditing based on `Forwarded`/`Via` hops \u2014 receives incomplete data. The API Gateway adapter already appends repeated values and is not affected.\n\nThis issue arises only on Lambda@Edge deployments, for requests that contain the same header more than once.\n\n### Impact\n\nRequest middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the `X-Forwarded-For` chain, this can weaken or alter that decision; for auditing, hop history is lost. This affects applications deployed on AWS Lambda@Edge that rely on multi-value request headers.",
"id": "GHSA-wgpf-jwqj-8h8p",
"modified": "2026-06-16T14:32:31Z",
"published": "2026-06-16T14:32:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/honojs/hono/security/advisories/GHSA-wgpf-jwqj-8h8p"
},
{
"type": "PACKAGE",
"url": "https://github.com/honojs/hono"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest"
}
No mitigation information available for this CWE.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.