Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

Summary Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list 100 entries it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the...

CVE-2026-27587 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...

CVE-2026-27587

CVE-2026-27587 affects Caddy prior to 2.11.1. The HTTP path matcher is intended to be case-insensitive, but when the pattern contains percent-escape sequences (%xx) it compares against the escaped path without lowercasing, allowing an attacker to bypass path-based routing or access controls by al...

CVE-2026-27587 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...

CVE-2026-27007

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw...

CVE-2026-27007

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw...

CVE-2026-27007 OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw...

CVE-2026-27007 OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw...

CVE-2026-27007 OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw...

PT-2026-20968

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw...

OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation

Description normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw sandbox flows, this hash is used to decide whether...

opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path

A security vulnerability has been discovered in how the input.parsedpath field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes // as authority components, and therefore dropping them from the parsed path. Thi...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the input.parsedpath field. An attacker can gain unauthorized access to protected resources by crafting HTTP requests with double slashes in the path, causing a mismatch between the path evaluated by...

OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication

Summary The optional Tlon Urbit extension previously accepted a user-provided base URL for authentication and used it to construct an outbound HTTP request, enabling server-side request forgery SSRF in affected deployments. Impact This only affects deployments that have installed and configured t...

PT-2026-20563

A security vulnerability has been discovered in how the input.parsed path field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes // as authority components, and therefore dropping them from the parsed path. Th...

PT-2026-20568

Name of the Vulnerable Software and Affected Versions opa-envoy-plugun versions prior to 1.13.2-envoy-2 Description The opa-envoy-plugun plugin has an issue in how the input.parsed path field is constructed. HTTP request paths are treated as full URIs during parsing, leading to the interpretation...

tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE

A directory traversal vulnerability in Apache Tomcat caused by improper URL normalization during request rewriting. When specific rewrite rules are used, an attacker could craft a malicious request to bypass access restrictions and reach protected directories such as /WEB-INF/ or /META-INF/. If...

USN-8032-1: AIOHTTP vulnerabilities

Charles Chan discovered that AIOHTTP incorrectly handled the decompression of compressed requests. A remote attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 25.10. CVE-2025-69223 Thomas Rinsma discovered that AIOHTTP incorrectly handled...

USN-8032-1 python-aiohttp vulnerabilities

Charles Chan discovered that AIOHTTP incorrectly handled the decompression of compressed requests. A remote attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 25.10. CVE-2025-69223 Thomas Rinsma discovered that AIOHTTP incorrectly handled...

CVE-2026-25480

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...