Skip to main content

Cloudflare

24 CVEs infrastructure

Monthly

CVE-2026-9860 HIGH This Week

Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.

File Upload PHP WordPress RCE Offload Ai Optimize With Cloudflare Images +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-40799 MEDIUM This Month

Broken authentication in the Simple Cloudflare Turnstile WordPress plugin (versions ≤ 1.38.0) allows unauthenticated remote attackers to bypass Cloudflare Turnstile CAPTCHA verification on any protected form without completing the bot-detection challenge. Classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and reported by Patchstack, the flaw enables automated or scripted form submissions that the plugin was designed to block - including login, registration, contact, and WooCommerce checkout forms. No public exploit code has been identified at time of analysis, though the network-accessible, zero-complexity nature of the bypass makes it trivially replicable by any attacker familiar with WordPress form mechanics.

Information Disclosure Simple Cloudflare Turnstile Cloudflare
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-41321 npm LOW PATCH GHSA Monitor

{ redirect: 'manual' }`. This is an incomplete fix for GHSA-qpr4-c339-7vq8. Confirmed on HEAD. `image-binding-transform.ts` line 28: const content = await (isRemotePath(href) ? fetch(imageSrc) : assets.fetch(imageSrc)); Missing `{ redirect: 'manual' }`. The three protected paths: // image-passthrough-endpoint.ts:23 response = await fetch(href, { redirect: 'manual' }); // assets/endpoint/shared.ts:11 const res = await fetch(src, { redirect: 'manual' }); // assets/utils/remoteProbe.ts:53 const response = await fetch(url, { redirect: 'manual' }); Demonstrated with Node.js that `fetch()` without `redirect: 'manual'` follows 302 redirects to arbitrary destinations: fetch('http://allowed:19741/img.jpg') → follows 302 → hits http://internal:19742/secret fetch('http://allowed:19741/img.jpg', {redirect:'manual'}) → returns 302, internal server NOT hit Attack path: attacker finds an open redirect on an allowed domain, crafts `/_image?href=https://allowed-cdn.com/redirect?url=http://internal-service/`, and the Worker follows the redirect to the unauthorized destination. Bypasses the `image.domains` and `image.remotePatterns` allowlist for the default Cloudflare image service (`cloudflare-binding`). Enables blind SSRF to domains not in the allowlist. Same vulnerability class as GHSA-qpr4-c339-7vq8 (HIGH) which fixed the passthrough endpoint but missed this one. const content = await (isRemotePath(href) ? fetch(imageSrc, { redirect: 'manual' }) : assets.fetch(imageSrc));

Node.js SSRF Open Redirect Cloudflare
NVD GitHub
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-2836 Cargo HIGH PATCH This Week

Pingora's default HTTP cache key implementation excludes the host header when generating cache keys, allowing attackers to poison the cache and serve cross-origin responses to victims. This affects deployments using the default CacheKey implementation in multi-tenant environments, where an attacker could cause users from one tenant to receive cached responses belonging to another tenant. No patch is currently available for this high-severity vulnerability.

Authentication Bypass Pingora Cloudflare
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-2835 Cargo CRITICAL PATCH Act Now

HTTP request smuggling in Pingora HTTP/1.0 Transfer-Encoding handling.

Code Injection Pingora Cloudflare
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-2833 Cargo CRITICAL PATCH Act Now

HTTP request smuggling in Cloudflare Pingora HTTP/1.1 upgrade handling.

Code Injection Pingora Cloudflare
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-3125 npm MEDIUM PATCH This Month

The @opennextjs/cloudflare package is vulnerable to Server-Side Request Forgery (SSRF) through a path normalization bypass in the /cdn-cgi/image/ handler, where attackers can use backslash substitution to evade edge interception and trigger arbitrary remote URL fetches. This affects production deployments that rely on Cloudflare's edge to block such requests, allowing attackers to access internal resources or perform outbound requests to attacker-controlled servers. A patch is available.

SSRF Opennext For Cloudflare Cloudflare
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1229 Go CRITICAL PATCH Act Now

Incorrect computation in CIRCL cryptographic library's CombinedMult function for secp384r1 (P-384) curve. Produces wrong elliptic curve multiplication results for specific inputs, potentially breaking ECDSA signature verification.

Github Circl Suse Cloudflare
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-0933 npm CRITICAL PATCH Act Now

Cloudflare Wrangler CLI has a CVSS 9.9 command injection vulnerability in the 'wrangler pages deploy' command that allows arbitrary code execution during deployment.

Command Injection Wrangler Cloudflare
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-13353 Go MEDIUM PATCH This Month

In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets. Impact This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s option) are not impacted. The confidentiality of the seed itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes: * keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed would be used to generate keys (240 bytes of entropy input), where in vulnerable versions only 28 bytes was used * a malicious entity could have recovered all passwords, generated from a particular seed, having only the seed file in possession without the knowledge of the seed master password Patches The code logic bug has been fixed in gokey version 0.2.0 and above. Due to the deterministic nature of gokey, fixed versions will produce different passwords/secrets using seed files, as all seed entropy will be used now. System secret rotation guidance It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0 and above), and provision/rotate these secrets into respective systems in place of the old secret. A specific rotation procedure is system-dependent, but most common patterns are described below. Systems that do not require the old password/secret for rotation Such systems usually have a "Forgot password" facility or a similar facility allowing users to rotate their password/secrets by sending a unique "magic" link to the user's email or phone. In such cases users are advised to use this facility and input the newly generated password secret, when prompted by the system. Systems that require the old password/secret for rotation Such systems usually have a modal password rotation window usually in the user settings section requiring the user to input the old and the new password sometimes with a confirmation. To generate/recover the old password in such cases users are advised to: * temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password * use gokey version 0.2.0 or above to generate the new password * populate the system provided password rotation form Systems that allow multiple credentials for the same account to be provisioned Such systems usually require a secret or a cryptographic key as a credential for access, but allow several credentials at the same time. One example is SSH: a particular user may have several authorized public keys configured on the SSH server for access. For such systems users are advised to: * generate a new secret/key/credential using gokey version 0.2.0 or above * provision the new secret/key/credential in addition to the existing credential on the system * verify that the access or required system operation is still possible with the new secret/key/credential * revoke authorization for the existing/old credential from the system Credit This vulnerability was found by Théo Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare's bug bounty program.

Information Disclosure Ubuntu Debian Gokey Suse +1
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-58179 npm HIGH POC PATCH This Week

Astro is a web framework for content-driven websites. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Astrojs Cloudflare Cloudflare
NVD GitHub
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-7054 Cargo HIGH PATCH This Month

Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Quiche Cloudflare
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-4821 HIGH PATCH This Week

Cloudflare quiche, a QUIC protocol implementation, contains a congestion control vulnerability (CVE-2025-4821) where an unauthenticated remote attacker can manipulate ACK frames to artificially inflate the congestion window beyond safe limits, causing excessive data transmission rates and potential denial of service through integer overflow panics. The vulnerability affects quiche versions prior to 0.24.4. While the CVSS score is 7.5 (high severity with network attack vector and no privileges required), real-world exploitation requires completing a QUIC handshake and active manipulation, limiting opportunistic exploitation.

Buffer Overflow Quiche Cloudflare
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-4820 MEDIUM PATCH This Month

Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support. An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. Patches quiche 0.24.4 is the earliest version containing the fix for this issue.

Denial Of Service Debian Quiche Cloudflare
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-6087 npm CRITICAL PATCH Act Now

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.

SSRF Next.js Node.js Information Disclosure Opennext For Cloudflare +2
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2025-4366 Cargo HIGH PATCH This Month

A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Request Smuggling Authentication Bypass Pingora Cloudflare
NVD GitHub
CVSS 4.0
7.4
EPSS
0.6%
CVE-2025-4144 npm MEDIUM PATCH This Month

PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Workers Oauth Provider Cloudflare
NVD GitHub
CVSS 4.0
5.3
EPSS
0.4%
CVE-2025-4143 npm MEDIUM PATCH This Month

The OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp , did not correctly validate that redirect_uri was on the allowed list of. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, no authentication required. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Workers Oauth Provider Cloudflare
NVD GitHub
CVSS 4.0
6.0
EPSS
0.5%
CVE-2021-3978 Go HIGH PATCH This Week

When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Rated high severity (CVSS 7.5). This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Octorpki Cloudflare
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-0651 MEDIUM This Month

Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Privilege Escalation Warp Windows Cloudflare
NVD
CVSS 4.0
6.1
EPSS
0.2%
CVE-2024-0212 MEDIUM This Month

The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Cloudflare
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-6992 MEDIUM PATCH This Month

Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). Rated medium severity (CVSS 4.0), this vulnerability is no authentication required.

Buffer Overflow Denial Of Service Zlib Cloudflare
NVD GitHub
CVSS 3.1
4.0
EPSS
0.0%
CVE-2021-3910 Go MEDIUM PATCH This Month

OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character). Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable.

Denial Of Service Octorpki Debian Linux Cloudflare
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.6%
CVE-2017-7235 PyPI HIGH PATCH This Week

An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Python Cloudflare Scrape Cloudflare
NVD GitHub
CVSS 3.0
8.8
EPSS
0.5%
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.

File Upload PHP WordPress +3
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Broken authentication in the Simple Cloudflare Turnstile WordPress plugin (versions ≤ 1.38.0) allows unauthenticated remote attackers to bypass Cloudflare Turnstile CAPTCHA verification on any protected form without completing the bot-detection challenge. Classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and reported by Patchstack, the flaw enables automated or scripted form submissions that the plugin was designed to block - including login, registration, contact, and WooCommerce checkout forms. No public exploit code has been identified at time of analysis, though the network-accessible, zero-complexity nature of the bypass makes it trivially replicable by any attacker familiar with WordPress form mechanics.

Information Disclosure Simple Cloudflare Turnstile Cloudflare
NVD
EPSS 0% CVSS 2.2
LOW PATCH Monitor

{ redirect: 'manual' }`. This is an incomplete fix for GHSA-qpr4-c339-7vq8. Confirmed on HEAD. `image-binding-transform.ts` line 28: const content = await (isRemotePath(href) ? fetch(imageSrc) : assets.fetch(imageSrc)); Missing `{ redirect: 'manual' }`. The three protected paths: // image-passthrough-endpoint.ts:23 response = await fetch(href, { redirect: 'manual' }); // assets/endpoint/shared.ts:11 const res = await fetch(src, { redirect: 'manual' }); // assets/utils/remoteProbe.ts:53 const response = await fetch(url, { redirect: 'manual' }); Demonstrated with Node.js that `fetch()` without `redirect: 'manual'` follows 302 redirects to arbitrary destinations: fetch('http://allowed:19741/img.jpg') → follows 302 → hits http://internal:19742/secret fetch('http://allowed:19741/img.jpg', {redirect:'manual'}) → returns 302, internal server NOT hit Attack path: attacker finds an open redirect on an allowed domain, crafts `/_image?href=https://allowed-cdn.com/redirect?url=http://internal-service/`, and the Worker follows the redirect to the unauthorized destination. Bypasses the `image.domains` and `image.remotePatterns` allowlist for the default Cloudflare image service (`cloudflare-binding`). Enables blind SSRF to domains not in the allowlist. Same vulnerability class as GHSA-qpr4-c339-7vq8 (HIGH) which fixed the passthrough endpoint but missed this one. const content = await (isRemotePath(href) ? fetch(imageSrc, { redirect: 'manual' }) : assets.fetch(imageSrc));

Node.js SSRF Open Redirect +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Pingora's default HTTP cache key implementation excludes the host header when generating cache keys, allowing attackers to poison the cache and serve cross-origin responses to victims. This affects deployments using the default CacheKey implementation in multi-tenant environments, where an attacker could cause users from one tenant to receive cached responses belonging to another tenant. No patch is currently available for this high-severity vulnerability.

Authentication Bypass Pingora Cloudflare
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

HTTP request smuggling in Pingora HTTP/1.0 Transfer-Encoding handling.

Code Injection Pingora Cloudflare
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

HTTP request smuggling in Cloudflare Pingora HTTP/1.1 upgrade handling.

Code Injection Pingora Cloudflare
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The @opennextjs/cloudflare package is vulnerable to Server-Side Request Forgery (SSRF) through a path normalization bypass in the /cdn-cgi/image/ handler, where attackers can use backslash substitution to evade edge interception and trigger arbitrary remote URL fetches. This affects production deployments that rely on Cloudflare's edge to block such requests, allowing attackers to access internal resources or perform outbound requests to attacker-controlled servers. A patch is available.

SSRF Opennext For Cloudflare Cloudflare
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Incorrect computation in CIRCL cryptographic library's CombinedMult function for secp384r1 (P-384) curve. Produces wrong elliptic curve multiplication results for specific inputs, potentially breaking ECDSA signature verification.

Github Circl Suse +1
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Cloudflare Wrangler CLI has a CVSS 9.9 command injection vulnerability in the 'wrangler pages deploy' command that allows arbitrary code execution during deployment.

Command Injection Wrangler Cloudflare
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets. Impact This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s option) are not impacted. The confidentiality of the seed itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes: * keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed would be used to generate keys (240 bytes of entropy input), where in vulnerable versions only 28 bytes was used * a malicious entity could have recovered all passwords, generated from a particular seed, having only the seed file in possession without the knowledge of the seed master password Patches The code logic bug has been fixed in gokey version 0.2.0 and above. Due to the deterministic nature of gokey, fixed versions will produce different passwords/secrets using seed files, as all seed entropy will be used now. System secret rotation guidance It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0 and above), and provision/rotate these secrets into respective systems in place of the old secret. A specific rotation procedure is system-dependent, but most common patterns are described below. Systems that do not require the old password/secret for rotation Such systems usually have a "Forgot password" facility or a similar facility allowing users to rotate their password/secrets by sending a unique "magic" link to the user's email or phone. In such cases users are advised to use this facility and input the newly generated password secret, when prompted by the system. Systems that require the old password/secret for rotation Such systems usually have a modal password rotation window usually in the user settings section requiring the user to input the old and the new password sometimes with a confirmation. To generate/recover the old password in such cases users are advised to: * temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password * use gokey version 0.2.0 or above to generate the new password * populate the system provided password rotation form Systems that allow multiple credentials for the same account to be provisioned Such systems usually require a secret or a cryptographic key as a credential for access, but allow several credentials at the same time. One example is SSH: a particular user may have several authorized public keys configured on the SSH server for access. For such systems users are advised to: * generate a new secret/key/credential using gokey version 0.2.0 or above * provision the new secret/key/credential in addition to the existing credential on the system * verify that the access or required system operation is still possible with the new secret/key/credential * revoke authorization for the existing/old credential from the system Credit This vulnerability was found by Théo Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare's bug bounty program.

Information Disclosure Ubuntu Debian +3
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Astro is a web framework for content-driven websites. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Astrojs Cloudflare Cloudflare
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Month

Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Quiche Cloudflare
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cloudflare quiche, a QUIC protocol implementation, contains a congestion control vulnerability (CVE-2025-4821) where an unauthenticated remote attacker can manipulate ACK frames to artificially inflate the congestion window beyond safe limits, causing excessive data transmission rates and potential denial of service through integer overflow panics. The vulnerability affects quiche versions prior to 0.24.4. While the CVSS score is 7.5 (high severity with network attack vector and no privileges required), real-world exploitation requires completing a QUIC handshake and active manipulation, limiting opportunistic exploitation.

Buffer Overflow Quiche Cloudflare
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support. An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. Patches quiche 0.24.4 is the earliest version containing the fix for this issue.

Denial Of Service Debian Quiche +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.

SSRF Next.js Node.js +4
NVD GitHub
EPSS 1% CVSS 7.4
HIGH PATCH This Month

A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Request Smuggling Authentication Bypass Pingora +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Workers Oauth Provider Cloudflare
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

The OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp , did not correctly validate that redirect_uri was on the allowed list of. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, no authentication required. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Workers Oauth Provider Cloudflare
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Rated high severity (CVSS 7.5). This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Octorpki Cloudflare
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Privilege Escalation Warp +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Cloudflare
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). Rated medium severity (CVSS 4.0), this vulnerability is no authentication required.

Buffer Overflow Denial Of Service Zlib +1
NVD GitHub
EPSS 1% CVSS 4.4
MEDIUM PATCH This Month

OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character). Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable.

Denial Of Service Octorpki Debian Linux +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Python Cloudflare Scrape +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy