CVE-2026-57942
⚪ Do wiadomości
Luka w LibreTranslate umożliwia fałszowanie adresów IP, co pozwala na nadużycia API.
CVSS
5.3
EPSS
0.0%
Exploit
none
Vendor
Opis źródłowy (NVD)
LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.
brak
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 5.3 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-06-29 18:16:39 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-29 19:16:42 UTC |
Referencje
- https://github.com/LibreTranslate/LibreTranslate/commit/397fd224080515d4001a1bc60c8fed53e3c56b6f (disclosure@vulncheck.com)
- https://github.com/LibreTranslate/LibreTranslate/issues/986 (disclosure@vulncheck.com)
- https://github.com/LibreTranslate/LibreTranslate/pull/987 (disclosure@vulncheck.com)
- https://www.vulncheck.com/advisories/libretranslate-ip-spoofing-via-x-forwarded-for-header (disclosure@vulncheck.com)