EUVD-2026-20491

@hono/node-server: Middleware bypass via repeated slashes in serveStatic...

@hono/node-server: Middleware bypass via repeated slashes in serveStatic

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

PT-2026-31280

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

PT-2026-31281

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

Hono 路径遍历漏洞

Hono is a web framework written in TypeScript for the Hono community. Versions of Hono prior to 4.12.12 contained a path traversal vulnerability. This vulnerability stemmed from inconsistent handling of serveStatic paths, allowing access to protected static files using repeated slashes, thereby...

Node.js Adapter for Hono 路径遍历漏洞

The Node.js Adapter for Hono is an open-source tool developed by Hono, designed to run Hono applications on Node.js. Versions of the Node.js Adapter for Hono prior to 1.19.13 contained a path traversal vulnerability. This vulnerability stemmed from inconsistent path handling, allowing access to...

CVE-2026-39339

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

CVE-2026-39339 ChurchCRM has an API Authentication Bypass

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 contained security vulnerabilities. These vulnerabilities stemmed from authentication bypasses in the API middleware, allowing unverified attackers to access all protected API endpoints...

GHSA-V569-HP3G-36WR Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header

Summary Rack::Utils.selectbestencoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted...

CVE-2026-34072

CrnMaster cronmaster is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...

CVE-2026-34230 Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.selectbestencoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard entries. Because this method is used by Rack::Deflater to choose a respon...

CVE-2026-34206

Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting XSS vulnerability exists in github.com/libops/captcha-protect. The challenge page accepte...

GHSA-JGFX-74G2-9R6G goshs has Auth Bypass via Share Token

Summary When using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. Details The BasicAuthMiddleware checks for a ?token= parameter before checking credentials. If the token exists in SharedLinks, the request passes...

EUVD-2026-17971

CrnMaster cronmaster is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...

CVE-2026-34072

CrnMaster cronmaster is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...

CVE-2026-34072 cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution

CrnMaster cronmaster is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...

cronmaster 安全漏洞

Cronmaster is a web-based Cron task management and system monitoring tool developed by fccview’s individual developers. Versions of Cronmaster prior to 2.2.0 contained security vulnerabilities. These vulnerabilities stemmed from authentication bypasses in the middleware. When session verification...

CVE-2026-34206

Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting XSS vulnerability exists in github.com/libops/captcha-protect. The challenge page accepte...

CVE-2026-5087 PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely

PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely. PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails for example, on systems without the device, such as Windows, then it...