Web - Daily CVE Reports

Web

CVE-2025-48865: Fabio's Vanishing Act - How a Crafty Connection Header Can Make Your Security Headers Disappear!

TL;DR / Executive Summary Heads up, Fabio users! A sneaky vulnerability, CVE-2025-48865, has been uncovered in Fabio, the fast, modern, zero-conf load balancing router. This flaw allows malicious HTTP clients to manipulate or even completely remove critical custom headers (like X-Forwarded-Host, X-Real-Ip) that Fabio adds before forwarding requests to your

Web

The Case of the Missing Carriage Return: Unpacking CVE-2025-43859 in Python's h11

Hey folks, gather 'round the virtual campfire! Today, we're diving into CVE-2025-43859, a sneaky vulnerability lurking in older versions of h11, a popular Python library for handling HTTP/1.1. While it might seem like a minor parsing quirk at first glance, this bug can team up

Web

CVE-2025-29927: Authorization Bypass in Next.js Middleware

Executive Summary CVE-2025-29927 is a critical vulnerability affecting Next.js applications that utilize middleware for authorization. This vulnerability allows attackers to bypass authorization checks by manipulating the x-middleware-subrequest header in HTTP requests. Successful exploitation can lead to unauthorized access to protected routes and resources. The vulnerability is fixed in Next.

Web

CVE-2025-29914: OWASP Coraza WAF URI Parsing Confusion Leading to Rule Bypass

Executive Summary CVE-2025-29914 describes a vulnerability in OWASP Coraza Web Application Firewall (WAF) versions prior to 3.3.3. This vulnerability arises from a parser confusion issue when handling URIs that begin with double slashes (//). Due to this confusion, the REQUEST_FILENAME variable, which is crucial for rule matching, is

Web

CVE-2025-29771: Cross-Site Scripting (XSS) Vulnerability in HtmlSanitizer

Executive Summary CVE-2025-29771 is a cross-site scripting (XSS) vulnerability affecting versions of the HtmlSanitizer library prior to 2.0.3. HtmlSanitizer is a JavaScript library used to sanitize HTML content, often employed in scenarios where user-generated content is rendered in web applications. The vulnerability arises when the library is used

Web

CVE-2025-26936: Critical Code Injection Vulnerability in Fresh Framework

CVE-2025-26936 is a critical code injection vulnerability (CWE-94: Improper Control of Generation of Code) affecting the Fresh Framework WordPress plugin, versions up to and including 1.70.0. This vulnerability allows unauthenticated attackers to execute arbitrary code remotely on a target system, potentially leading to full compromise of the affected