10938 matches found
EUVD-2026-23100
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the namespace parameter in the Ruler API endpoint after double URL encoding. An attacker can access arbitrary files by sending specially crafted requests. Details A Directory Traversal attack also known as path...
CVE-2026-40186
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasses allowedTags enforcement for text inside nonTextTagsArray elements textarea and option...
CVE-2026-21726
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
CVE-2026-21726 Loki Path Traversal - CVE-2021-36156 Bypass
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
CVE-2026-21726 Loki Path Traversal - CVE-2021-36156 Bypass
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
CVE-2026-21726
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...
CVE-2026-21726
CVE-2026-21726 is a Grafana Loki path traversal vulnerability related to namespace parameter handling. The literature links it to the historic CVE-2021-36156 bypass in Loki’s path traversal, potentially allowing an attacker to read files via the Ruler API endpoint /loki/api/v1/rules/{namespace} a...
PT-2026-33174
Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0 sanitize-html version 2.17.1 Description A regression in the sanitize-html package allows a bypass of allowedTags enforcement for text within nonTextTagsArray elements, specifically textarea and option. T...
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
Description as reported Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Background This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques: -...
GHSA-355H-QMC2-WPWF Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
Description as reported Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Background This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques: -...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
CVE-2026-5438
A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with Content-Encoding: gzip. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive...
GHSA-JVGR-9PH5-M8V4 ImageMagick has a heap buffer overflow when encoding JXL image with a 16-bit float
The JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats...