CVE-2026-23743

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources private topics, categories, posts, or hidden tags were redirecting users to URLs containing the resource slug, even when the user...

EUVD-2026-4861

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources private topics, categories, posts, or hidden tags were redirecting users to URLs containing the resource slug, even when the user...

CVE-2026-23743 Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources private topics, categories, posts, or hidden tags were redirecting users to URLs containing the resource slug, even when the user...

CVE-2025-29157

An issue in petstore v.1.0.7 allows a remote attacker to execute arbitrary code via accessing a non-existent endpoint/cart, the server returns a 404-error page exposing sensitive information including the Servlet name default and server version...

Swagger Petstore Sample 安全漏洞

Swagger Petstore Sample is a sample petstore system in the Swagger open source. A security vulnerability exists in Swagger Petstore Sample version 1.0.7, which stems from a server returning a 404 error page and exposing sensitive information when accessing a non-existent endpoint or shopping cart...

Shopware Security Vulnerabilities

Shopware is a suite of open source e-commerce software from the German company Shopware. A security vulnerability exists in Shopware versions prior to 6.5.8.7 that stems from the session being persistent in the cache of a 404 page...

CVE-2023-33276

The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683.0 and 3.3.8.0 responds with a "404 - Not Found" status code if a path is accessed that does not exist. However, the value of the path is reflected in the response. As the application will reflect the supplied path without...

PYSEC-2023-40

pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export a non-default feature. Organizers can trigger the overwriting with the standard pretalx 404 page content of an arbitrary file...

CVE-2021-37573

A reflected cross-site scripting XSS vulnerability in the web server TTiny Java Web Server and Servlet Container TJWS =1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page...

DEBIAN-CVE-2019-10247

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches...

UBUNTU-CVE-2019-3498

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.pagenotfound, leading to content spoofing in a 404 error page if a user fails to recognize th...

PT-2019-1680 · Django Software Foundation +2 · Django +2

Name of the Vulnerable Software and Affected Versions: Django versions 1.11.x through 1.11.17 Django versions 2.0.x through 2.0.9 Django versions 2.1.x through 2.1.4 Description: The issue is related to insufficient neutralization of special elements in output used by a downstream component. This...

JON: Cross Site scripting possible on the JBoss ON 404 error page

It was discovered that a cross-site scripting XSS vulnerability on a JBoss Operations Network 404 error page allowed for session fixation attacks. An attacker could use this flaw to impersonate a legitimate user, resulting in compromised integrity of secure data...

CVE-2015-3391

The Path Breadcrumbs module before 7.x-3.2 for Drupal allows remote attackers to bypass intended access restrictions and obtain sensitive node titles by reading a 403 Not Found page...

DEBIAN-CVE-2006-4067

Cross-site scripting XSS vulnerability in cake/libs/error.php in CakePHP before 1.1.7.3363 allows remote attackers to inject arbitrary web script or HTML via the URL, which is reflected back in a 404 "Not Found" error page. NOTE: some of these details are obtained from third party information...