1012 matches found
CVE-2026-39407 Hono has a middleware bypass via repeated slashes in serveStatic
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for...
CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...
GHSA-WMMM-F939-6G9C Hono: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
GHSA-92PP-H63X-V22M @hono/node-server: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
GHSA-5G3J-89FR-R2VP skilleton has improper input handling in repository/path processing
Summary skilleton versions prior to 0.3.1 include security-related weaknesses in repository normalization and path handling logic. Version 0.3.1 contains fixes and additional test coverage for these issues. Affected Versions =0.3.1 Impact In affected versions, crafted input could trigger unsafe o...
PT-2026-31666
Name of the Vulnerable Software and Affected Versions: basic-ftp versions 5.2.0 Description: basic-ftp is an FTP client for Node.js. Versions prior to 5.2.1 are susceptible to FTP command injection due to improper handling of CRLF sequences r within file path parameters used in high-level path AP...
CVE-2026-22682
OpenHarness prior to commit 166fcfe contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository...
Technostrobe HI-LED-WR120-G2 安全漏洞
Technostrobe HI-LED-WR120-G2 is a high-brightness industrial strobe lighting device from the Canadian company Technostrobe. Version 5.5.0.1R6.03.30 of Technostrobe HI-LED-WR120-G2 contains a security vulnerability. This vulnerability stems from incorrect handling of parameters “dir” and “path” in...
CVE-2026-34779 Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on macOS, app.moveToApplicationsFolder used an AppleScript fallback path that did not properly handle certain characters in the...
Linux kernel 安全漏洞
The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the incorrect path not releasing the skb objects properly, potentially leading to memory leaks or...
EUVD-2026-17877
A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attacker controlled pat...
USN-8136-1 dovecot vulnerabilities
It was discovered that Dovecot incorrectly handled invalid base64 SASL data. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 25.10. CVE-2025-59028 It was discovered that Dovecot script decode2text.sh incorrectly handled zip files. An attacke...
SUSE SLES15 / openSUSE 15 Security Update : kea (SUSE-SU-2026:1091-1)
The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1091-1 advisory. Update to release 2.6.3 bsc1243240: - CVE-2025-32801: Fixed loading a malicious hook library can lead to local...
CVE-2026-34475
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass...
SUSE-SU-2026:1091-1 Security update for kea
This update for kea fixes the following issues: Update to release 2.6.3 bsc1243240: - CVE-2025-32801: Fixed loading a malicious hook library can lead to local privilege escalation. - CVE-2025-32802: Fixed insecure handling of file paths allows multiple local attacks. - CVE-2025-32803: Fixed...
CVE-2025-43534
A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.2 and iPadOS 26.2. A user with physical access to an iOS device may be able to bypass Activation Lock...
CVE-2026-20688
A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4. An app may be able to break out of its sandbox...
CVE-2026-28816
A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to delete files for which it does not have permission...
CVE-2026-28827
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to break out of its sandbox...
CVE-2026-28823
A path handling issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.4. An app with root privileges may be able to delete protected system files...