Lucene search
K

557 matches found

Veracode
Veracode
added 2026/05/03 4:46 p.m.12 views

Improper Access Control

Caddy is vulnerable to Improper Access Control. The vulnerability is due to incorrect case-insensitive matching in the HTTP path request matcher when percent-encoded sequences are present, allowing attackers to alter request path casing and bypass path-based routing or attached access controls...

9.1CVSS5.8AI score0.0037EPSS
Exploits1References4Affected Software2
Snyk
Snyk
added 2026/05/01 5:33 p.m.11 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the RWStlReader::ReadAscii process when buffers returned by StandardReadLineBuffer::ReadLine are not properly length-validated before being used in strncasecmp or accessed directly. An attacker can cause denial of...

7.1CVSS5.8AI score0.00106EPSS
Exploits0References2
OSV
OSV
added 2026/04/30 5:19 p.m.5 views

GHSA-5Q7P-7JGV-WW56 Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection

Vulnerability Details CWE: CWE-918 - Server-Side Request Forgery SSRF The default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex ^https?://. Any uppercase URL scheme variant HTTP://, HTTPS://, Http:// bypasses the pattern. Go's...

9.3CVSS5.8AI score0.00463EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/04/30 5:19 p.m.16 views

Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection

Vulnerability Details CWE: CWE-918 - Server-Side Request Forgery SSRF The default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex ^https?://. Any uppercase URL scheme variant HTTP://, HTTPS://, Http:// bypasses the pattern. Go's...

7.8CVSS5.3AI score0.00463EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2026/04/30 3:15 a.m.13 views

Improper Access Control

Caddy is vulnerable to Improper Access Control. The vulnerability is due to incorrect case-insensitive matching in the HTTP host request matcher when large host lists are configured, allowing attackers to modify the casing of the Host header and bypass host-based routing or associated access...

9.1CVSS5.8AI score0.0037EPSS
Exploits1References4Affected Software2
EUVD
EUVD
added 2026/04/27 8:23 a.m.9 views

EUVD-2026-25791

The fix for CVE-2025-27636 added setLowerCasetrue to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCasetrue call was not applied to five non-HTTP HeaderFilterStrategy...

9.9CVSS6.5AI score0.0086EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/27 12:0 a.m.21 views

PT-2026-35370

Name of the Vulnerable Software and Affected Versions Apache Camel versions 3.0.0 through 4.14.5 Apache Camel versions 4.15.0 through 4.18.1 Apache Camel versions 4.19.0 through 4.19.x Description Certain non-HTTP HeaderFilterStrategy implementations, specifically JmsHeaderFilterStrategy and...

9.9CVSS6.5AI score0.0086EPSS
Exploits1References26
OSV
OSV
added 2026/04/25 11:30 p.m.5 views

GHSA-72H4-MXFC-JX37 Heimdall: Case-sensitive host matching may lead to policy bypass

Summary Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than...

7.8CVSS5.8AI score0.00301EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/25 12:0 a.m.12 views

PT-2026-37187

Name of the Vulnerable Software and Affected Versions Heimdall versions prior to 0.17.14 Description Heimdall performs host matching in a case-sensitive manner, which conflicts with the case-insensitive nature of HTTP hostnames. This discrepancy allows a request host that differs only in letter...

7.8CVSS5.8AI score0.00301EPSS
Exploits0References11
NVD
NVD
added 2026/04/24 5:16 p.m.6 views

CVE-2026-41067

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace o...

6.1CVSS0.00189EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/24 4:57 p.m.3 views

CVE-2026-41067 Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace o...

6.1CVSS5.5AI score0.00189EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/24 4:57 p.m.29 views

CVE-2026-41067 Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace o...

6.1CVSS0.00189EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.13 views

PT-2026-34608

Name of the Vulnerable Software and Affected Versions Marko affected versions not specified Description When dynamic text is interpolated into or tags, the runtime fails to prevent tag breakout if the closing tag uses non-lowercase casing. This occurs because the system uses case-sensitive regula...

6.4CVSS5.6AI score0.00195EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2026/04/21 8:39 p.m.13 views

Astro: XSS in define:vars via incomplete </script> tag sanitization

Summary The defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing , allowing ...

6.1CVSS6AI score0.00189EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.11 views

PT-2026-34233

Summary The defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing , allowing ...

6.1CVSS6AI score0.00189EPSS
Exploits1References5
Slackware Linux
Slackware Linux
added 2026/04/17 9:29 p.m.11 views

[slackware-security] cups

New cups packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/cups-2.4.17-i586-1slack15.0.txz: Upgraded. This update fixes security issues: The scheduler treated local user and group names as...

7.8CVSS5.8AI score0.00502EPSS
Exploits7
OSV
OSV
added 2026/04/17 1:0 p.m.9 views

OESA-2026-1933 cups security update

CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol IPP to support printing to local and network printers. Security Fixes: OpenPrinting CUPS is an open source printing system for Linux and othe...

7.8CVSS6.4AI score0.00502EPSS
Exploits7References8
OSV
OSV
added 2026/04/14 11:13 p.m.7 views

GHSA-HG7G-56H5-5PQR CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure

Summary objects/getCaptcha.php accepts the CAPTCHA length ql directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive strcasecmp comparison over a 33-character...

5.3CVSS5.9AI score0.00218EPSS
Exploits1References4
SUSE CVE
SUSE CVE
added 2026/04/07 11:27 p.m.6 views

SUSE CVE-2026-27447

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon cupsd contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an...

4.8CVSS5.8AI score0.00317EPSS
Exploits1References9
OSV
OSV
added 2026/04/07 6:16 p.m.2 views

GHSA-QMWH-9M9C-H36M Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags

Summary The fix for ExifTool arbitrary file write commit 043b158, released in v8.29.0 uses a case-sensitive blocklist to filter dangerous pseudo-tags. ExifTool processes tag names case-insensitively, so alternate casings bypass the filter. The blocklist also omits the HardLink and SymLink...

8.8CVSS5.9AI score
Exploits0References3
Rows per page
Query Builder