116 matches found
GHSA-CXRG-G7R8-W69P Fastify Middie Middleware Path Bypass
Summary A security vulnerability exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify...
EUVD-2026-3321
Fastify Middie Middleware Path Bypass...
CVE-2026-22031
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While...
CVE-2026-22037
The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the...
CVE-2026-22031
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While...
CVE-2026-22031 Fastify Middie Middleware Path Bypass
@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While...
CVE-2026-22031
CVE-2026-22031 affects the Fastify middleware plugin @fastify/middie (prior to 9.1.0). A vulnerability allows bypassing a middleware registered with a path prefix by using URL-encoded paths (e.g., /%61dmin). The middie engine uses path-to-regexp for matching; the regex is applied to the undecoded...
CVE-2021-33896
Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal only for creation of new files via URI-encoded path separators...
GHSA-8WPR-639P-CCRJ Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
A NestJS application is vulnerable if it meets all of the following criteria: 1. Platform: Uses @nestjs/platform-fastify. 2. Security Mechanism: Relies on NestMiddleware via MiddlewareConsumer for security checks authentication, authorization, etc., or through app.use 3. Routing: Applies middlewa...
Path Normalization Bypass in Traefik Router + Middleware Rules
Impact There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the followin...
Interpretation Conflict
Overview Affected versions of this package are vulnerable to Interpretation Conflict in path matching. An attacker can gain unauthorized access to restricted endpoints by sending requests with URL-encoded restricted characters in the path, which bypasses middleware and security controls...
SUSE-SU-2025:21145-1 Security update for curl
This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 - CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes bsc1253757 - CVE-2025-10148: Fixed predictable WebSocket mask bsc1249348 Other fixes: - tooloperate: fix...
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI to determine which route to render, while the middleware uses context.url.pathname without applying the...
GHSA-GGXQ-HP9W-J794 Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI to determine which route to render, while the middleware uses context.url.pathname without applying the...
CVE-2025-20379
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using th...
CVE-2025-20379
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using th...
PT-2025-46680
Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 10.0.1 Splunk Enterprise versions 9.2.9 through 9.4.5 Splunk Cloud Platform versions below 9.3.2411.116 Splunk Cloud Platform versions 9.3.2408.124 and below Splunk Cloud Platform versions below 10.0.2503.5...
EUVD-2018-0804
Malware in sbrugna...
CVE-2025-41035
A problem has been discovered in appRain CMF 4.0.5. An authenticated Path Traversal vulnerability in /apprain/common/download/ allows remote users to bypass the intended SecurityManager restrictions and download any file if they have adequate permissions outside the document root configured on th...
Linux Distros Unpatched Vulnerability : CVE-2024-6329
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2...