CVE-2026-53622

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection allows unauthenticated clients to bypass router-specific mutual Transport Layer Security mTLS enforcement. When HTTP/3 is enabled and a router use...

jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties

Summary In BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block triggered by...

CVE-2026-54515 jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a...

CVE-2026-54515

CVE-2026-54515 affects jackson-databind where, from 2.8.0 up to 2.18.9, 2.21.5 and 3.1.4, per-property @JsonIgnoreProperties exclusions are bypassed during a case-insensitive deserialization, making ignored properties writable again. The root cause is in BeanDeserializerBase.createContextual(), w...

CVE-2026-54515

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a...

CVE-2026-53622

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake...

CVE-2026-49286

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so PHAR://, Phar://, etc...

CVE-2026-49286

CVE-2026-49286 - PhpWeasyPrint : The library (prior to 2.6.0) guards the output filename against the phar:// stream wrapper with a case-sensitive blacklist. Because PHP stream wrappers are case-insensitive, inputs like PHAR://, Phar:// bypass the check and reach fileExists() in prepareOutput(), a...

Astra Linux – Vulnerability in curl

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take ‘issuercert’ into account, and it compared the involved paths case insensitively, which could...

PT-2026-50163

Name of the Vulnerable Software and Affected Versions Traefik versions 3.6.17 through 3.7.1 Description An issue in the HTTP/3 QUIC TLS configuration selection allows unauthenticated clients to bypass router-specific mutual TLS mTLS enforcement. When HTTP/3 is enabled, the TLS handshake uses an...

EulerOS 2.0 SP13 : cups (EulerOS-SA-2026-2282)

According to the versions of the cups packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer...

PYSEC-2026-201

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...

Astra Linux - уязвимость в git

Git is an open-source distributed revision control system. In affected versions of Git, a specially crafted repository containing symbolic links and files processed by clean/smudge filters like Git LFS may cause a just-checked-out script to be executed when cloning to a case-insensitive file syst...

CLSA-2026-1779215980 cups: Fix of CVE-2026-27447

CVE-2026-27447: fix authorization bypass via case-insensitive username comparison in scheduler...

CLSA-2026-1779215547 cups: Fix of CVE-2026-27447

CVE-2026-27447: fix authorization bypass via case-insensitive username comparison in scheduler...

GHSA-4GPH-2HHR-5MWG Envoy AI Proxy - MCP Message Smuggling Vulnerability

Envoy AI Gateway was found to be affected by a protocol parser differential vulnerability due to improper implementation of the JSON-RPC 2.0 specification. Such differential causes a MCP message alteration, potentially causing a bypass of security controls in a multi-layered architecture. Accordi...

Envoy AI Proxy - MCP Message Smuggling Vulnerability

Envoy AI Gateway was found to be affected by a protocol parser differential vulnerability due to improper implementation of the JSON-RPC 2.0 specification. Such differential causes a MCP message alteration, potentially causing a bypass of security controls in a multi-layered architecture. Accordi...

node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition

A flaw was found in node-tar, a library for Node.js. This race condition vulnerability occurs due to incomplete handling of Unicode path collisions within the path-reservations system on case-insensitive filesystems, such as macOS APFS. A remote attacker can exploit this by providing a specially...

node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition

A flaw was found in node-tar, a library for Node.js. This race condition vulnerability occurs due to incomplete handling of Unicode path collisions within the path-reservations system on case-insensitive filesystems, such as macOS APFS. A remote attacker can exploit this by providing a specially...

Security Bulletin:DevOps Test Embedded for Eclipse IDE is vulnerable to XXE injection & RCE due to use of JGit and EGit ( CVE-2023-4759 and CVE-2025-4949)

Summary Due to the use of JGit and EGit, DevOps Test Embedded for Eclipse contains vulnerabilities that could lead to unauthorized file access via XML External Entity XXE injection, and arbitrary file overwrites on case-insensitive filesystems that can lead to Remote Code Execution RCE. This only...