CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-58169

highCVSS 7.5covered by 1 sourcefirst seen 2026-06-30
Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to 0.0.0.0 with credentialed CORS. Attackers can craft a malicious DNS rebinding page to issue authenticated requests to the local API server, reach the shell execution endpoint with a bash-enabled preset, and achieve remote code execution as the API process user while also overwriting LLM and data-source settings to exfiltrate credentials.

⚡ Watch CVE-2026-58169

Get an email if CVE-2026-58169 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-58169

CVE.org record

Embed the live status

CVE-2026-58169 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-58169 status](https://www.csirts.com/badge/CVE-2026-58169)](https://www.csirts.com/cve/CVE-2026-58169)