EUVD-2026-1181

OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials...

PT-2026-1559

Name of the Vulnerable Software and Affected Versions OpenFlagr versions prior to and including 1.1.18 Description The software contains an authentication bypass issue in the HTTP middleware. Improper path normalization within the whitelist logic allows crafted requests to bypass authentication,...

Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints

Note This is a separate issue from the RCE vulnerability State Pollution currently being patched. While related to tokensecurity.js, it involves different endpoints and risks. Summary An unauthenticated information disclosure vulnerability allows any user to retrieve sensitive system information,...

PT-2026-25819

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.2 Description Glances, a system cross-platform monitoring tool, had insufficient host validation in its main REST/WebUI FastAPI application prior to version 4.5.2. This allowed the REST API, WebUI, and token...

CVE-2025-69211

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

GHSA-8WPR-639P-CCRJ Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

A NestJS application is vulnerable if it meets all of the following criteria: 1. Platform: Uses @nestjs/platform-fastify. 2. Security Mechanism: Relies on NestMiddleware via MiddlewareConsumer for security checks authentication, authorization, etc., or through app.use 3. Routing: Applies middlewa...

Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

A NestJS application is vulnerable if it meets all of the following criteria: 1. Platform: Uses @nestjs/platform-fastify. 2. Security Mechanism: Relies on NestMiddleware via MiddlewareConsumer for security checks authentication, authorization, etc., or through app.use 3. Routing: Applies middlewa...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the URL encoding middleware, allowing it to be bypassed in certain configurations. An...

CVE-2025-69211

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

CVE-2025-69211

CVE-2025-69211 affects Nest.js applications using the Fastify platform integration before version 11.1.11. The issue is a bypass in the Fastify URL encoding middleware that can skip security checks implemented via NestMiddleware (via MiddlewareConsumer) or app.use(), particularly when middleware ...

CVE-2025-69211 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

CVE-2025-69211 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

CVE-2025-69211 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

PT-2025-53755

Name of the Vulnerable Software and Affected Versions Nest versions prior to 11.1.11 Description Nest is a framework used for building scalable Node.js server-side applications. A flaw exists where the Fastify URL encoding middleware can be bypassed. This impacts applications utilizing...

CVE-2013-10031

Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability ...

Zerobyte 安全漏洞

Zerobyte is a hosting automated backup software by Nico Personal Developers. A security vulnerability exists in Zerobyte versions prior to 0.18.5 and prior to 0.19.0, which stems from the authentication middleware not being properly applied to API endpoints, potentially leading to authentication...

GO-2025-4206 Path Normalization Bypass in Traefik Router + Middleware Rules in github.com/traefik/traefik

Path Normalization Bypass in Traefik Router + Middleware Rules in github.com/traefik/traefik...

CVE-2025-66492 Masa CMS vulnerable to Cross-Site Scripting (XSS) through URL Parameter

Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the section of the HTM...

SUSE CVE-2025-66490

Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters /, , Null,...

Linux Distros Unpatched Vulnerability : CVE-2013-10031

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks CVE-2013-10031 Note that Nessus relies on the presence of the...