Lucene search
K

142 matches found

Nuclei
Nuclei
added yesterday126 views

OpenMetadata - Authentication Bypass

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The JwtFilter handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request...

9.8CVSS7.6AI score0.73255EPSS
Exploits5References5
NVD
NVD
added 2 days ago7 views

CVE-2026-14198

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to...

9.1CVSS0.00314EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40146

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the...

9.3CVSS5.8AI score0.00374EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 1:47 p.m.10 views

CVE-2026-13426

The Mattermost Go module github.com/mattermost/mattermost/server/public versions

5.4CVSS5.8AI score0.00197EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:33 p.m.9 views

CVE-2026-9495

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS5.7AI score0.0036EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 7:16 a.m.10 views

CVE-2026-9495

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS0.0036EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/26 5:0 a.m.41 views

CVE-2026-9495

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS0.0036EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/26 5:0 a.m.14 views

EUVD-2026-31792

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS5.9AI score0.0036EPSS
Exploits0References4
CVE
CVE
added 2026/05/26 5:0 a.m.30 views

CVE-2026-9495

CVE-2026-9495 affects the npm package @koa/router, specifically versions 14.0.0 and earlier than 15.0.0. The issue is an Access Control Bypass caused by middleware being silently dropped from the execution chain when the router prefix contains path parameters. This can enable bypass of authentica...

7.3CVSS5.9AI score0.0036EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/26 5:0 a.m.8 views

CVE-2026-9495

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS5.9AI score0.0036EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.8 views

@koa/router 安全漏洞

@koa/router is a routing middleware developed by Koa.js. Versions from 14.0.0 to 15.0.0 of @koa/router had a security vulnerability. This vulnerability occurred when the router prefix contained path parameters, causing the middleware to silently discard requests, which could lead to access contro...

7.3CVSS5.8AI score0.0036EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.21 views

PT-2026-43190

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS5.9AI score0.0036EPSS
Exploits0References4
CVE
CVE
added 2026/05/15 6:36 p.m.14 views

CVE-2021-47967

CVE-2021-47967 affects PHP Timeclock 1.04 with multiple cross-site scripting (XSS) vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can target login.php, timeclock.php, audit.php, and timerpt.php endpoints...

6.1CVSS5.9AI score0.00211EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/15 6:36 p.m.7 views

CVE-2021-47967 PHP Timeclock 1.04 Multiple Cross-Site Scripting via Parameters

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, o...

6.1CVSS5.9AI score0.00211EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/15 6:1 p.m.13 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the generic download endpoint when the disk and path parameters are supplied in the request. An attacker can access unrelated files stored on configured storage disks by manipulating...

7.7CVSS5.8AI score0.00262EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/22 8:28 p.m.10 views

i18next-locize-backend has URL Injection via Unsanitized Path Parameters

Summary Versions of i18next-locize-backend prior to 9.0.2 interpolate lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of...

6.5CVSS5.7AI score0.00224EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/04/21 9:9 p.m.31 views

CVE-2026-6829

CVE-2026-6829 affects the open-source project nesquena Hermes-webUI. The connected documents describe a trust-boundary failure in Hermes-webUI that allows an authenticated attacker to repoint a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters ...

6.3CVSS5.9AI score0.0026EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/21 9:9 p.m.5 views

CVE-2026-6829

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update,...

6.3CVSS5.9AI score0.0026EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/04/17 12:0 a.m.8 views

QiHui JBTC CMS 安全漏洞

QiHui JBTC CMS is an open-source content management system developed by QiHui. Version 5.0.3.6 of QiHui JBTC CMS contains a security vulnerability. This vulnerability stems from an unknown function in the component Code Endpoint, which improperly handles parameters with the path parameter in the...

5.3CVSS5.7AI score0.00365EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/04/13 12:0 a.m.15 views

Linux Distros Unpatched Vulnerability : CVE-2026-39983

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to...

8.6CVSS5.8AI score0.02185EPSS
Exploits1References3
Rows per page
Query Builder