26 matches found
GHSA-WWHQ-W58M-W29C Caddy CVE-2026-30852 Fix Bypass
TL;DR CVE-2026-30852 fixed double expansion in varsregexp when the variable key is a placeholder e.g. http.vars.x. The fix does NOT protect literal key names e.g. tenantid. An attacker injects env.AWSSECRETACCESSKEY or file./etc/passwd via a request header → Caddy expands it on the second pass →...
CVE-2026-30852
A flaw was found in Caddy, an extensible server platform. The varsregexp matcher in Caddy's HTTP module double-expands user-controlled input. A remote attacker can exploit this by injecting specific placeholders into request headers, leading to information disclosure. This allows the attacker to...
CVE-2026-30852
creationtimestamp| type| source ---|---|--- 2026-03-06 01:59:32+00:00| published-proof-of-concept| https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf 2026-03-07 20:08:45+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mgimye6fdo27...
CVE-2023-30852
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the /admin/misc/script-proxy API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the scriptPath and scripts parameters. The...
CVE-2022-30852
Known v1.3.1 was discovered to contain an Insecure Direct Object Reference IDOR...
CVE-2021-30852
A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 14.8 and iPadOS 14.8, tvOS 15, watchOS 8, iOS 15 and iPadOS 15. Processing maliciously crafted web content may lead to arbitrary code execution...
CVE-2025-30852
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in emotionalonlinestorytelling Oracle Cards Lite oracle-cards allows Reflected XSS.This issue affects Oracle Cards Lite: from n/a through = 1.2.1...
CVE-2025-30852
creationtimestamp| type| source ---|---|--- 2025-04-02 13:33:29+00:00| published-proof-of-concept| https://t.me/DarkWebInformerCVEAlerts/10061...
CVE-2025-30852
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in emotionalonlinestorytelling Oracle Cards Lite oracle-cards allows Reflected XSS.This issue affects Oracle Cards Lite: from n/a through = 1.2.1...
CVE-2025-30852 WordPress Oracle Cards Lite plugin <= 1.2.1 - Reflected Cross Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in emotionalonlinestorytelling Oracle Cards Lite oracle-cards allows Reflected XSS.This issue affects Oracle Cards Lite: from n/a through = 1.2.1...
CVE-2025-30852 WordPress Oracle Cards Lite plugin <= 1.2.1 - Reflected Cross Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in emotionalonlinestorytelling Oracle Cards Lite oracle-cards allows Reflected XSS.This issue affects Oracle Cards Lite: from n/a through = 1.2.1...
WordPress Oracle Cards Lite plugin <= 1.2.1 - Reflected Cross Site Scripting (XSS) Vulnerability
Reflected Cross Site Scripting XSS Vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Oracle Cards Lite versions = 1.2.1...
CVE-2023-30852
creationtimestamp| type| source ---|---|--- 2023-04-27 20:26:47+00:00| seen| https://t.me/cibsecurity/62998...
CVE-2023-30852 Pimcore Arbitrary File Read in Admin JS CSS files
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the /admin/misc/script-proxy API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the scriptPath and scripts parameters. The...
CVE-2023-30852 Pimcore Arbitrary File Read in Admin JS CSS files
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the /admin/misc/script-proxy API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the scriptPath and scripts parameters. The...
CVE-2022-30852
creationtimestamp| type| source ---|---|--- 2022-07-08 16:16:25+00:00| seen| https://t.me/cibsecurity/45807...
CVE-2022-30852
Known v1.3.1 was discovered to contain an Insecure Direct Object Reference IDOR...
CVE-2022-30852
Known v1.3.1 was discovered to contain an Insecure Direct Object Reference IDOR...
CVE-2022-30852
Known v1.3.1 was discovered to contain an Insecure Direct Object Reference IDOR...
CVE-2022-30852
Known v1.3.1 was discovered to contain an Insecure Direct Object Reference IDOR...