85 matches found
CVE-2026-42272
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes %2F in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent %2f is not recognized...
Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator
Summary A path traversal vulnerability exists in Pipecat's development runner src/pipecat/runner/run.py. When the runner is started with the --folder flag, it exposes a GET /files/filename:path download endpoint. The filename path parameter is concatenated directly onto args.folder with no...
CVE-2026-42882 oxyno-zeta/s3-proxy: Security Issues in Resource Path Matching
oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the...
CVE-2026-42272
CVE-2026-42272 affects Heimdall, a cloud-native Identity Aware Proxy/Access Control service. Before v0.17.14, it treated URL-encoded slashes (%2F) as case-sensitive while percent-encodings must be case-insensitive, causing %2f to be ignored when allow_encoded_slashes is off (default). This discre...
CVE-2026-42272 Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes %2F in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent %2f is not recognized...
CVE-2026-42272 Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes %2F in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent %2f is not recognized...
CVE-2026-42272
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes %2F in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent %2f is not recognized...
Heimdall 安全漏洞
Heimdall is an open-source application panel and launcher developed by LinuxServer.io. Versions of Heimdall prior to 0.17.14 contained security vulnerabilities. These vulnerabilities stemmed from the handling of URL-encoded slashes in a case-sensitive manner. URL-encoded slashes are defined as...
GHSA-RFGQ-WGG8-662P S3-Proxy has Security Issues in its Resource Path Matching Implementation
Background The original concern is functional: a resource pattern should treat a percent-encoded segment like some%2Fvalue as a single opaque token rather than splitting it into two path segments at the decoded /. Investigation into why %2F was being decoded and how routes matched against the...
JLSEC-2026-425 URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file...
URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...
Heimdall has an authorization bypass via path normalization mismatch
Summary Heimdall performs rule matching on the raw non-normalized request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path e.g., /user/../admin, or URL-encoded variants...
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
Summary Heimdall handles URL-encoded slashes %2F in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent %2f is not recognized and therefore not processed as expected when allowencodedslashes is set to off the default setting. Th...
Interpretation Conflict
Overview Affected versions of this package are vulnerable to Interpretation Conflict via inconsistent handling of URL-encoded slashes in the path processing. An attacker can gain unauthorized access or escalate privileges by crafting requests with lowercase percent-encoded slashes that bypass...
GHSA-43JV-5J4X-QV67 Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
Summary Heimdall handles URL-encoded slashes %2F in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent %2f is not recognized and therefore not processed as expected when allowencodedslashes is set to off the default setting. Th...
Interpretation Conflict
Overview Affected versions of this package are vulnerable to Interpretation Conflict via inconsistent handling of URL-encoded slashes in the path processing. An attacker can gain unauthorized access or escalate privileges by crafting requests with lowercase percent-encoded slashes that bypass...
PT-2026-37186
Name of the Vulnerable Software and Affected Versions Heimdall versions prior to 0.17.14 Description Heimdall handles URL-encoded slashes %2F in a case-sensitive manner, whereas percent-encoding is defined as case-insensitive. When the allow encoded slashes variable is set to off the default...
SUSE CVE-2026-33344
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...
CVE-2026-33868
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability CWE-601 exists in the /web/ route due to improper handling of URL-encoded path segments. An attacker can craft a specially encode...
CVE-2026-32004
OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers can bypass plugin route authentication checks by submitti...
CVE-2026-33344
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...