Lucene search
K

1209 matches found

CVE
CVE
added 2026/04/17 8:49 p.m.38 views

CVE-2026-40299

The CVE-2026-40299 issue affects the next-intl library used with Next.js. The vulnerability arises in the middleware when localePrefix: 'as-needed' is enabled, allowing URL handling and the WHATWG URL parser to resolve a relative redirect target to another host. This can cause the browser to be r...

6.9CVSS5.7AI score0.00339EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/17 8:49 p.m.9 views

CVE-2026-40299 next-intl has an open redirect vulnerability

next-intl provides internationalization for Next.js. Applications using the next-intl middleware prior to version 4.9.1with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or...

6.9CVSS5.7AI score0.00339EPSS
Exploits0References4
Oracle linux
Oracle linux
added 2026/04/16 12:0 a.m.15 views

perl:5.32 security update

perl 4:5.32.1-474 - Resolves: RHEL-153834 - Fix CVE-2025-40909 - Clone dirhandles without fchdir 4:5.32.1-473 - Fix CVE-2023-47038 - Added perl-autouse and perl-ExtUtils-MM-Utils to perl run-requires 4:5.32.1-472 - Add definition of OPTIMIZE to .ph files, if optimizing is used bug2159760...

5.9CVSS6AI score0.00832EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/04/14 10:49 p.m.8 views

WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)

Summary The locale save endpoint locale/save.php constructs a file path by directly concatenating $POST'flag' into the path at line 30 without any sanitization. The $POST'code' parameter is then written verbatim to that path via fwrite at line 40. An admin attacker or any user who can CSRF an...

8.7CVSS6.1AI score0.00656EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/14 10:49 p.m.5 views

GHSA-6RC6-P838-686F WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)

Summary The locale save endpoint locale/save.php constructs a file path by directly concatenating $POST'flag' into the path at line 30 without any sanitization. The $POST'code' parameter is then written verbatim to that path via fwrite at line 40. An admin attacker or any user who can CSRF an...

8.7CVSS6.1AI score0.00656EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/14 10:49 p.m.13 views

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal via the locale/save.php process. An attacker can write arbitrary PHP files to any web-accessible directory and execute code by supplying crafte...

8.7CVSS6.5AI score0.00656EPSS
Exploits1References2
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/13 9:49 p.m.3 views

Security Bulletin: vulerability in IBM Spectrum Symphony with spring framework

Summary vulerability in IBM Spectrum Symphony with spring framework Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptions that could...

5.3CVSS5.8AI score0.05666EPSS
Exploits2Affected Software1
Snyk
Snyk
added 2026/04/10 9:3 p.m.2 views

Open Redirect

Overview next-intl is an Internationalization i18n for Next.js Affected versions of this package are vulnerable to Open Redirect in the middleware process when localePrefix is set to 'as-needed'. An attacker can redirect users to an external site by crafting URLs that exploit the way relative...

6.9CVSS5.6AI score0.00339EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/10 9:3 p.m.7 views

next-intl has an open redirect vulnerability

Impact Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or control characters stripped by the URL parser, so the middleware coul...

6.9CVSS5.8AI score0.00339EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/04/10 9:3 p.m.3 views

GHSA-8F24-V5VV-GM5J next-intl has an open redirect vulnerability

Impact Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or control characters stripped by the URL parser, so the middleware coul...

6.9CVSS5.8AI score0.00339EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.8 views

PT-2026-32979

Name of the Vulnerable Software and Affected Versions next-intl versions prior to 4.9.1 Description Applications using the middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host. This occurs...

6.9CVSS5.8AI score0.00339EPSS
Exploits0References9
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/03 5:28 p.m.7 views

Malicious code in strapi-plugin-locale (npm)

strapi-plugin-locale is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology...

6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/02 9:0 p.m.2 views

Malicious Package

Overview strapi-plugin-locale is a malicious package. This package contains malicious code that conceals a command-and-control agent and credential harvester. A malicious actor published a coordinated campaign of thirty-six packages disguised as community Strapi CMS plugins. These packages aren't...

9.8CVSS6AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.7 views

CVE-2026-32939

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase without specifying an explicit Locale, causing its security...

8.1CVSS5.8AI score0.00447EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.5 views

CVE-2026-33513

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

8.6CVSS6.4AI score0.0074EPSS
Exploits1References1
NVD
NVD
added 2026/03/23 7:16 p.m.6 views

CVE-2026-33513

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

8.6CVSS0.0074EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/23 6:21 p.m.2 views

CVE-2026-33513

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

8.6CVSS6.4AI score0.0074EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/23 6:21 p.m.3 views

CVE-2026-33513 AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

8.6CVSS6.4AI score0.0074EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/23 6:21 p.m.20 views

CVE-2026-33513 AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

8.6CVSS0.0074EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/23 6:21 p.m.3 views

EUVD-2026-14480

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

8.6CVSS6.4AI score0.0074EPSS
Exploits1References1
Rows per page
Query Builder