Lucene search
+L

79 matches found

redhat
redhat
added 2026/07/09 8:19 a.m.7 views

google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

9.1CVSS6.6AI score0.00522EPSS
Exploits1References5
nvd
nvd
added 2026/06/29 8:17 p.m.8 views

CVE-2026-56017

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString XS.xs inspects the previous token's last byte to choose between a regexp literal and a...

7.5CVSS0.00488EPSS
Exploits0References2
debiancve
debiancve
added 2026/06/29 7:38 p.m.9 views

CVE-2026-56017

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString XS.xs inspects the previous token's last byte to choose between a regexp literal and a...

7.5CVSS5.8AI score0.00488EPSS
Exploits0
ptsecurity
ptsecurity
added 2026/06/29 12:0 a.m.8 views

PT-2026-53732

Name of the Vulnerable Software and Affected Versions JavaScript::Minifier::XS versions prior to 0.16 Description A NULL pointer dereference occurs when the first meaningful token of the input is a slash. The issue resides in the JsTokenizeString function within the XS.xs file, where the regexp...

7.5CVSS5.8AI score0.00488EPSS
Exploits0References6
nessus
nessus
added 2026/06/27 12:0 a.m.9 views

EulerOS 2.0 SP15 : kata-containers (EulerOS-SA-2026-2484)

"According to the versions of the kata-containers package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input...

9.1CVSS6.8AI score0.00522EPSS
Exploits1References2
ibm
ibm
added 2026/06/25 6:13 p.m.9 views

Security Bulletin: IBM Support for Hyperledger Fabric is vulnerable to CVE-2026-33186

Summary google.golang.org/grpc-v1.56.3 used by fabric-operations-console Vulnerability Details CVEID:CVE-2026-33186 DESCRIPTION: gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path...

9.1CVSS5.9AI score0.00522EPSS
Exploits1Affected Software1
redhat
redhat
added 2026/06/24 11:4 a.m.4 views

google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

9.1CVSS6.6AI score0.00522EPSS
Exploits1References5
redhat
redhat
added 2026/06/22 11:36 a.m.8 views

google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

9.1CVSS7.3AI score0.00522EPSS
Exploits1References5
snyk
snyk
added 2026/06/15 8:38 p.m.11 views

Use of Incorrectly-Resolved Name or Reference

Overview starlette is a The little ASGI library that shines. Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference in the reconstruction of request.url when the HTTP request path does not begin with /. An attacker can mislead the application into trusti...

8.3CVSS5.3AI score0.00187EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/15 12:0 a.m.14 views

PT-2026-49596

Name of the Vulnerable Software and Affected Versions starlette versions prior to 1.3.1 Description The HTTP request path is not validated before being used to reconstruct request.url. When a path does not begin with /, such as @google.com, it is concatenated as scheme://hostpath. This shifts the...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References14
ptsecurity
ptsecurity
added 2026/06/04 12:0 a.m.19 views

PT-2026-46226

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description A URL validation flaw in the dashboard button widget allows a crafted relative-looking URL to be accepted as a local path while browsers interpret it as an external URL. The validation process...

6.1CVSS5.4AI score0.00148EPSS
Exploits0References4
github
github
added 2026/05/26 5:16 p.m.23 views

XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash

Impact It's possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false. This can apparently be reproduced on Tomcat instances. Patches This has been patched in 18.0.0-rc-1, 17.10.3, 17.4.9,...

9.3CVSS5.8AI score0.19538EPSS
Exploits1References5Affected Software1
snyk
snyk
added 2026/05/20 9:45 p.m.16 views

Relative Path Traversal

Overview Affected versions of this package are vulnerable to Relative Path Traversal via the resource parameter in the ssx and jsx endpoints when a leading slash is used. An attacker can access sensitive configuration files by crafting a URL that traverses directories. Note: This issue is due to...

9.8CVSS5.8AI score0.19538EPSS
Exploits1References2
cvelist
cvelist
added 2026/05/20 6:39 p.m.34 views

CVE-2026-23734 XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash

XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The...

9.3CVSS0.19538EPSS
Exploits1References3
vulnrichment
vulnrichment
added 2026/05/20 6:39 p.m.13 views

CVE-2026-23734 XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash

XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The...

9.3CVSS5.7AI score0.19538EPSS
Exploits1References3
cve
cve
added 2026/05/20 6:39 p.m.32 views

CVE-2026-23734

XWiki Platform suffers a Path Traversal vulnerability in which configuration files can be read via the resources parameter on the ssx and jsx endpoints using a leading slash (e.g., /../../WEB-INF/xwiki.cfg). Affected releases:

9.3CVSS5.7AI score0.19538EPSS
Exploits1References3
astralinux
astralinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in symfony

Symfony is a PHP framework for web and console applications, along with a set of reusable PHP components. Symfony’s HttpFoundation component defines an object-oriented layer for handling HTTP requests. Starting from version 2.0.0 and before versions 5.4.50, 6.4.29, and 7.3.7, the Request class...

7.3CVSS5.4AI score0.01344EPSS
Exploits0References2
github
github
added 2026/04/16 9:16 p.m.19 views

Mako: Path traversal via double-slash URI prefix in TemplateLookup

Summary TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations: - Template.init strips one leading / using if/slice - TemplateLookup.gettemplate strips all...

8.7CVSS5.8AI score0.00361EPSS
Exploits0References6Affected Software1
amazon
amazon
added 2026/04/14 12:0 a.m.6 views

Important: runfinch-finch

Issue Overview: gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted...

9.1CVSS5.9AI score0.00522EPSS
Exploits1
nessus
nessus
added 2026/04/13 12:0 a.m.7 views

Amazon Linux 2023 : credentials-fetcher (ALAS2023-2026-1551)

"It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1551 advisory. gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server...

9.1CVSS5.9AI score0.00522EPSS
Exploits1References4
Rows per page
Query Builder