CVE-2026-48714

The CVE-2026-48714 issue affects i18next-http-middleware prior to 3.9.7. The missingKeyHandler can accept request-body keys like proto , constructor, and prototype (and similar dotted variants) and, when downstream backends such as i18next-fs-backend ≤ 2.6.5 split on keySeparator, passes them to ...

Nest: Middleware Bypass on Fastify via Trailing Slash

Impact An authentication bypass vulnerability exists in @nestjs/platform-fastify confirmed on version 11.1.24, the latest available release at time of report. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated client can bypa...

Incorrect Authorization

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Incorrect Authorization via the MiddlewareConsumer.forRoutes API on the Fastify adapter. An attacker can gain unauthorized access to...

GHSA-6V32-FJC9-9QF6 Nest: Middleware Bypass on Fastify via Trailing Slash

Impact An authentication bypass vulnerability exists in @nestjs/platform-fastify confirmed on version 11.1.24, the latest available release at time of report. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated client can bypa...

PT-2026-49595

Name of the Vulnerable Software and Affected Versions @nestjs/platform-fastify versions prior to 11.1.24 Description An authentication bypass exists in the Fastify adapter when middleware is registered through the MiddlewareConsumer.forRoutes API. An unauthenticated client can bypass registered...

PT-2026-49529

Name of the Vulnerable Software and Affected Versions i18next-http-middleware versions prior to 3.9.7 i18next-fs-backend versions 2.6.5 and earlier Description The missingKeyHandler in i18next-http-middleware fails to reject dotted variants of restricted keys, such as proto .polluted, while only...

CVE-2026-47200

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled default in Nuxt 4, any...

CVE-2026-53721

CVE-2026-53721 affects Nuxt (Vue.js framework) earlier branches: 3.11.0–3.21.6 and 4.0.0–4.4.6 are vulnerable to a route-rule middleware bypass caused by a case-sensitivity mismatch between vue-router and the routeRules matcher. The issue has been patched in Nuxt versions 3.21.7 and 4.4.7. The CV...

CVE-2026-47200 Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled default in Nuxt 4, any...

EUVD-2026-36422

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled default in Nuxt 4, any...

CVE-2026-47200 Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled default in Nuxt 4, any...

CVE-2026-47200

Nuxt CVE-2026-47200 affects Nuxt 3.11.0–3.21.5 and 4.0.0-alpha.1–4.4.5 with experimental.componentIslands enabled. Server islands under /_nuxt_island/page * for .server.vue pages could bypass route middleware, exposing server-rendered content without Vue Router middleware running. Patch applied i...

PT-2026-48880

Name of the Vulnerable Software and Affected Versions Nuxt versions 3.11.0 through 3.21.6 Nuxt versions 4.0.0 through 4.4.6 Description A route-rule middleware bypass exists due to a case-sensitivity mismatch between vue-router and the routeRules matcher. Recommendations Update to version 3.21.7...

PT-2026-48687

Name of the Vulnerable Software and Affected Versions meta-ads-mcp versions prior to 1.0.102 Description An improper authentication issue exists where the AuthInjectionMiddleware.dispatch function in http auth integration.py unconditionally forwards unauthenticated Streamable HTTP requests to...

CVE-2026-5078

A flaw was found in the morgan HTTP request logging middleware versions 1.2.0 through 1.10.1. The :remote-user token writes the Basic auth username to access logs without neutralizing CR/LF control characters. An unauthenticated remote attacker can inject forged log lines via a crafted...

Reliance on Untrusted Inputs in a Security Decision

Overview litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision through the AllowedHostsMiddleware in the host validation middleware. An attacker can bypa...

Exploit for Incorrect Authorization in Vercel Next.Js

CVE-2025-29927 Lab Minimal reproduction lab for CVE-2025-2992...

GHSA-W7W5-5GCP-38RW nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)

None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase. Impact The admin UI signs CA...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via unsanitized string concatenation in the authglinet middleware when the application is started in GLiNET mode. An attacker can gain full administrative access by supplying a crafted path traversal sequence in the...

CVE-2026-41448

CVE-2026-41448 affects AdGuard Home when started with --glinet. The vulnerability stems from unsanitized path construction in the authglinet middleware, enabling an authentication bypass via a crafted path traversal sequence in the Admin-Token cookie/header, yielding unauthenticated full admin ac...