Lucene search
K

399 matches found

OSV
OSV
added 4 days ago3 views

DEBIAN-CVE-2026-58404

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

6.8CVSS5.8AI score0.00208EPSS
Exploits0References1
NVD
NVD
added 4 days ago8 views

CVE-2026-58404

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

6.8CVSS0.00208EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-24978

comm: lossy UTF-8 conversion silently corrupts non-UTF-8 output...

3.3CVSS5.9AI score0.00176EPSS
Exploits1References6
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-58404 Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

4.6CVSS0.00208EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 4 days ago3 views

CVE-2026-58404

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

4.6CVSS5.8AI score0.00208EPSS
Exploits0References5Affected Software1
CVE
CVE
added 4 days ago9 views

CVE-2026-58404

Hugo: From v0.162.0 to v0.163.0, the default security.http.urls policy blocked loopback/internal/cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation. Consequently, alternate IPv4 encodings (integer, hex, octal) could resolve to blocked addresses when a template pa...

6.8CVSS5.8AI score0.00208EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/07/01 12:16 p.m.8 views

CVE-2026-14181

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder t...

7.5CVSS0.00291EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.8 views

PT-2026-54638

Name of the Vulnerable Software and Affected Versions @fastify/middie versions 9.1.0 through 9.3.2 Description An issue exists in the standalone engine's URL normalization and decoding process where malformed percent-encoded sequences in incoming request paths are not properly guarded...

7.5CVSS5.8AI score0.00291EPSS
Exploits0References9
OSV
OSV
added 2026/06/19 7:18 p.m.9 views

GHSA-R46F-3RPW-HXRV Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF)

Impact The default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals e.g. http://127.0.0.1/, http://169.254.169.254/. The deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses — integer, hex, or octal, whi...

7.7CVSS5.9AI score0.00208EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 7:18 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the resources.GetRemote process while the host platform uses the cgo system resolver. When alternate IPv4 encodings are used in URLs, such as integer, hexadecimal, or octal representations, which bypa...

8.6CVSS5.9AI score0.00208EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 7:18 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the resources.GetRemote process while the host platform uses the cgo system resolver. When alternate IPv4 encodings are used in URLs, such as integer, hexadecimal, or octal representations, which bypa...

8.6CVSS5.9AI score0.00208EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:31 p.m.10 views

CVE-2025-8095

The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. OECH1 encodings should be considered exploitable and immediately replaced by any other supporte...

10CVSS5.4AI score0.00216EPSS
Exploits0References1
OSV
OSV
added 2026/06/02 11:16 p.m.10 views

UBUNTU-CVE-2026-42504

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU...

7.5CVSS5.2AI score0.0056EPSS
Exploits0References5
OSV
OSV
added 2026/05/29 10:27 p.m.7 views

GHSA-5C6W-WWFQ-7QQM PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings

Summary PraisonAI's spidertools URL validation can be bypassed using alternate loopback host encodings. The affected component is: text praisonaiagents/tools/spidertools.py The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled...

5.5CVSS6.2AI score0.00014EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/29 10:27 p.m.28 views

PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings

Summary PraisonAI's spidertools URL validation can be bypassed using alternate loopback host encodings. The affected component is: text praisonaiagents/tools/spidertools.py The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled...

6.2AI score0.00014EPSS
Exploits0References2Affected Software2
SUSE CVE
SUSE CVE
added 2026/05/29 1:20 a.m.13 views

SUSE CVE-2026-44378

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which...

6.9CVSS5.8AI score0.00324EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.11 views

PT-2026-45049

Summary PraisonAI's spider tools URL validation can be bypassed using alternate loopback host encodings. The affected component is: text praisonaiagents/tools/spider tools.py The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled...

5.5CVSS6.2AI score0.00014EPSS
Exploits0References3
NVD
NVD
added 2026/05/27 6:16 p.m.12 views

CVE-2026-44378

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which...

7.5CVSS0.00324EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 4:34 p.m.47 views

CVE-2026-44378 Botan: Quadratic complexity decoding BER indefinite length encodings

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which...

6.9CVSS0.00324EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/27 4:34 p.m.9 views

CVE-2026-44378 Botan: Quadratic complexity decoding BER indefinite length encodings

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which...

6.9CVSS5.8AI score0.00324EPSS
Exploits0References1
Rows per page
Query Builder