Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization

Description Symfony\Component\Routing\Generator\UrlGenerator::doGenerate percent-encodes . and .. path segments so that the generated URL still resolves to the originating route after RFC 3986 §5.2.4 dot-segment removal which strict RFC-3986 consumers — routers, reverse proxies, HTTP clients —...

GHSA-H5X3-XFC9-M39H Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization

Description Symfony\Component\Routing\Generator\UrlGenerator::doGenerate percent-encodes . and .. path segments so that the generated URL still resolves to the originating route after RFC 3986 §5.2.4 dot-segment removal which strict RFC-3986 consumers — routers, reverse proxies, HTTP clients —...

WsgiDAV encoded dot segments can escape filesystem share roots

Impact WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout. Patches The issue is fixed with version 4.3.4. Preconditions The practical impact depends on the deployment. The deployment...

GHSA-WXQ4-CC2Q-338Q WsgiDAV encoded dot segments can escape filesystem share roots

Impact WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout. Patches The issue is fixed with version 4.3.4. Preconditions The practical impact depends on the deployment. The deployment...

fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies

A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator URL containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization...

PT-2026-45727

Name of the Vulnerable Software and Affected Versions jupyter-server version 2.17.0 Description A path traversal issue exists due to an incorrect root directory boundary check in the get os path function within jupyter server/services/contents/fileio.py. The check utilizes startswithroot without...

Improper Encoding or Escaping of Output

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the UrlGenerator due to incorrectly encoding chained dot-segments ../ or ./. The legacy...

Path Traversal

Open WebUI is vulnerable to Path Traversal. The vulnerability is due to improper validation and sanitization of uploaded file names derived from HTTP upload requests, which allows an attacker to upload files with crafted dot-segments and traverse outside the intended uploads directory, potentiall...

CVE-2026-44565

CVE-2026-44565 affects Open WebUI prior to 0.6.10. The upload API derives the target path from the original HTTP upload filename without validation, enabling dot-segment path traversal and arbitrary file writes to locations the web server user can access. This is fixed in 0.6.10. Mitigation guida...

Open WebUI 路径遍历漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.1.124 contained a path traversal vulnerability. This vulnerability occurred when files were attached in messages, where the file names originated from the original...

CVE-2026-42882 oxyno-zeta/s3-proxy: Security Issues in Resource Path Matching

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the...

CVE-2026-42882

CVE-2026-42882 affects oxyno-zeta/s3-proxy (Go). Prior to version 5.0.0, an authentication bypass arises from a mismatch between the auth middleware and bucket handler when parsing resource paths. The auth layer uses the percent-encoded request URI (r.URL.RequestURI()) while the bucket handler bu...

fast-uri vulnerable to path traversal via percent-encoded dot segments

Impact fast-uri v3.1.0 and earlier decodes percent-encoded path separators %2F and dot segments %2E before applying dot-segment removal in normalize and equal. This makes encoded path data behave like real / and .., so distinct URIs collapse onto the same normalized path. For example,...

EUVD-2026-27129

fast-uri vulnerable to path traversal via percent-encoded dot segments...

NPM: fast-uri vulnerable to path traversal via percent-encoded dot segments

NPM: fast-uri vulnerable to path traversal via percent-encoded dot segments vulnerability discovered by ? in WordPress Npm fast-uri versions = 3.1.0...

GHSA-Q3J6-QGPJ-74H6 fast-uri vulnerable to path traversal via percent-encoded dot segments

Impact fast-uri v3.1.0 and earlier decodes percent-encoded path separators %2F and dot segments %2E before applying dot-segment removal in normalize and equal. This makes encoded path data behave like real / and .., so distinct URIs collapse onto the same normalized path. For example,...

CVE-2026-42274

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw non-normalized request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy ca...

CVE-2026-42274

CVE-2026-42274 affects Heimdall (cloud-native Identity Aware Proxy and Access Control Decision service). Before v0.17.14, it matches rules on raw, non-normalized request paths while downstream components normalize dot-segments per RFC 3986, potentially authorizing requests whose normalized path d...

SUSE CVE-2026-6321

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize and equal functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications...

CVE-2026-6321

A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator URL containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization...