399 matches found
DEBIAN-CVE-2026-58404
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...
CVE-2026-58404
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...
EUVD-2026-24978
comm: lossy UTF-8 conversion silently corrupts non-UTF-8 output...
CVE-2026-58404 Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...
CVE-2026-58404
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...
CVE-2026-58404
Hugo: From v0.162.0 to v0.163.0, the default security.http.urls policy blocked loopback/internal/cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation. Consequently, alternate IPv4 encodings (integer, hex, octal) could resolve to blocked addresses when a template pa...
CVE-2026-14181
@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder t...
PT-2026-54638
Name of the Vulnerable Software and Affected Versions @fastify/middie versions 9.1.0 through 9.3.2 Description An issue exists in the standalone engine's URL normalization and decoding process where malformed percent-encoded sequences in incoming request paths are not properly guarded...
GHSA-R46F-3RPW-HXRV Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF)
Impact The default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals e.g. http://127.0.0.1/, http://169.254.169.254/. The deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses — integer, hex, or octal, whi...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the resources.GetRemote process while the host platform uses the cgo system resolver. When alternate IPv4 encodings are used in URLs, such as integer, hexadecimal, or octal representations, which bypa...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the resources.GetRemote process while the host platform uses the cgo system resolver. When alternate IPv4 encodings are used in URLs, such as integer, hexadecimal, or octal representations, which bypa...
CVE-2025-8095
The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. OECH1 encodings should be considered exploitable and immediately replaced by any other supporte...
UBUNTU-CVE-2026-42504
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU...
GHSA-5C6W-WWFQ-7QQM PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
Summary PraisonAI's spidertools URL validation can be bypassed using alternate loopback host encodings. The affected component is: text praisonaiagents/tools/spidertools.py The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled...
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
Summary PraisonAI's spidertools URL validation can be bypassed using alternate loopback host encodings. The affected component is: text praisonaiagents/tools/spidertools.py The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled...
SUSE CVE-2026-44378
Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which...
PT-2026-45049
Summary PraisonAI's spider tools URL validation can be bypassed using alternate loopback host encodings. The affected component is: text praisonaiagents/tools/spider tools.py The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled...
CVE-2026-44378
Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which...
CVE-2026-44378 Botan: Quadratic complexity decoding BER indefinite length encodings
Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which...
CVE-2026-44378 Botan: Quadratic complexity decoding BER indefinite length encodings
Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which...