CVE-2026-6321

A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator URL containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization...

EUVD-2026-23227

@fastify/static vulnerable to route guard bypass via encoded path separators...

GHSA-X428-GHPX-8J92 @fastify/static vulnerable to route guard bypass via encoded path separators

Impact @fastify/static v9.1.0 and earlier decodes percent-encoded path separators %2F before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/ do not match /admin%2Fsecret.html, but @fastify/static decodes it to...

CVE-2026-6414

The CVE concerns @fastify/static (versions 8.0.0–9.1.0) where percent-encoded path separators (%2F) are decoded before filesystem resolution, but Fastify’s router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware/guards that protect files served by...

Linux Distros Unpatched Vulnerability : CVE-2021-33896

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal only for creation of new files via URI-encoded path separators. CVE-2021-33896 Note that...

Low: python3

Issue Overview: During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header bein...

AZL-9909 CVE-2022-27780 affecting package curl for versions less than 7.83.1-1

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like http://example.com%2F127.0.0.1/, would be allowed bythe parser and get...

curl 代码问题漏洞

curl is a tool used to transfer data from or to a server. A code issue vulnerability exists in curl, which arises from the URL parser incorrectly accepting percentage-encoded URL separators when decoding the hostname portion of a URL...

UBUNTU-CVE-2022-27780

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like http://example.com%2F127.0.0.1/, would be allowed bythe parser and get...

DEBIAN-CVE-2021-33896

Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal only for creation of new files via URI-encoded path separators...

Dino 路径遍历漏洞

Dino is an open source chat client application for desktop from the Dino DINO team. Dino suffers from a path traversal vulnerability that stems from Dino prior to 0.1.2 and 0.2 failing to properly filter for special elements in the path of a resource or file. An attacker could use this...