64 matches found
GHSA-GX7W-56W6-G48X Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching
AI Disclosure I used an LLM to help review the source code, reason about attack surface, and help draft and refine this report. I manually validated the finding by reproducing it locally, confirming the vulnerable code path, and verifying the HTTP behavior with curl -v. Summary Caddy's remote adm...
CVE-2026-44471
gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. During checkout, all symlink index entries...
CVE-2026-42885 Audiobookshelf: Path prefix bypass in filesystem existence check leaks out-of-scope file existence
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith to validate that a resolved file path is within a library folder. This check fails for sibling directories whose names share a common prefix e.g.,...
CVE-2026-42885
CVE-2026-42885 : Audiobookshelf (self-hosted server) has a path-prefix bypass in the POST /api/filesystem/pathexists check. Before version 2.32.2, the code uses String.startsWith() to verify a resolved path is within a library folder, which fails for sibling directories with a shared prefix (for ...
GHSA-FFGH-3JRF-8WVH Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision
Impact Weblate repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as t...
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision
Impact Weblate repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as t...
EUVD-2026-23019
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision...
CVE-2026-40256
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...
CVE-2026-40256
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...
CVE-2026-40256 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...
CVE-2026-40256
Weblate (localization tool) contains a defect in repository-boundary validation prior to version 5.17 where absolute path checks use a simple startswith against the repository root, not path-segment aware. This can be bypassed when an external path shares the same string prefix as the repository ...
CVE-2026-40256 Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed whe...
PT-2026-33125
Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17 Description Repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This process is not...
File Browser has an access rule bypass via HasPrefix without trailing separator in path matching
Hi, The Matches function in rules/rules.go uses strings.HasPrefix without a trailing directory separator when matching paths against access rules. A rule for /uploads also matches /uploadsbackup/, granting or denying access to unintended directories. Verified against v2.62.2 commit 860c19d. Detai...
GHSA-5Q48-Q4FM-G3M6 File Browser has an access rule bypass via HasPrefix without trailing separator in path matching
Hi, The Matches function in rules/rules.go uses strings.HasPrefix without a trailing directory separator when matching paths against access rules. A rule for /uploads also matches /uploadsbackup/, granting or denying access to unintended directories. Verified against v2.62.2 commit 860c19d. Detai...
GHSA-H2JQ-G4CQ-5PPQ Rack::Static prefix matching can expose unintended files under the static root
Summary Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or...
CVE-2026-34451
Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did no...
EUVD-2026-17294
SciTokens has an Authorization Bypass via Incorrect Scope Path Prefix Checking...
SciTokens has an Authorization Bypass via Incorrect Scope Path Prefix Checking
Summary The Enforcer incorrectly validates scope paths by using a simple prefix match startswith. This allows a token with access to a specific path e.g., /john to also access sibling paths that start with the same prefix e.g., /johnathan, /johnny, which is an Authorization Bypass. Details File:...
CVE-2026-32726 SciTokens C++: Sibling-Path Authorization Bypass
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was...