1204 matches found
EUVD-2026-18225
A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects unknown code of the file /demo.php of the component WAF Firewall. The manipulation of the argument param leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available...
EUVD-2026-18352
The OWASP core rule set CRS is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions .php, .phar, .jsp, .jspx by inserting whitespace...
PT-2026-29925
Summary Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermedia...
Henan Xiaopi Panel 代码注入漏洞
Henan Xiaopi Panel is a Linux graphical interface developed by Henan Xiaopi in Henan, China. Version 1.0.0 of Henan Xiaopi Panel contains a code injection vulnerability. This vulnerability stems from improper handling of the parameter “param” in the file/demo.php of the component WAF Firewall,...
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
Summary Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermedia...
CVE-2026-31382
The errordescription parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload...
EUVD-2026-13686
The errordescription parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload...
CVE-2026-31382
The errordescription parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload...
PT-2026-26562
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $ POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real escape string was applied, it only escapes...
PT-2026-26610
Name of the Vulnerable Software and Affected Versions affected versions not specified Description The error description parameter is susceptible to Reflected Cross-Site Scripting XSS. An attacker can circumvent the website's Web Application Firewall WAF by utilizing a payload specifically designe...
ROS-20260318-73-0001
A vulnerability in the ModSecurity web application security module exists due to insufficient input validation during URL processing. Exploitation of the vulnerability could allow an attacker acting remotely to bypass WAF rules...
Fortinet FortiWeb OS Command Injection Vulnerability (CNVD-2026-14602)
Fortinet FortiWeb is a Web application layer firewall from the U.S. company Fita Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning and other attacks to ensure the security of Web applications and protect sensitive database content. A...
GHSA-775H-3XRC-C228 Parse Server has a rate limit bypass via batch request endpoint
Impact Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle...
Build Transformative Security with AI-Powered WAF Detections
...
Prototype Pollution
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Prototype Pollution via triggers.js when a prototype property name is used as the function name. An attacker can terminate t...
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
Impact An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud...
PT-2026-24188
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.13 Parse Server versions prior to 9.5.1-alpha.2 Description An unauthenticated attacker can cause a denial of service by crashing the Parse Server process. This occurs by calling a Cloud Function endpoint wit...
Fortinet FortiWeb 操作系统命令注入漏洞
Fortinet FortiWeb is a Web application layer firewall from the U.S. company Fita Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning and other attacks to ensure the security of Web applications and protect sensitive database content. A...
Fortinet FortiWeb 安全漏洞
Fortinet FortiWeb is a Web application layer firewall developed by the American company Fortinet. It can block threats such as cross-site scripting, SQL injection, cookie poisoning, and schema poisoning, ensuring the security of web applications and protecting sensitive database content. Fortinet...
AWS VDP: SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet)
Researchers This vulnerability was discovered through collaborative security research. Researchers: - █████ - █████████ - █████████ --- Summary AWS WAF fails to detect certain SQL injection payload variants. These payloads bypass the AWS WAF SQL injection detection rules and reach the backend...