215 matches found
CVE-2026-25765
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
CVE-2026-25765 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
CVE-2026-25765
CVE-2026-25765 affects Faraday (an HTTP client abstraction). The vulnerability arises in build_exclusive_url (lib/faraday/connection.rb) which uses URI#merge; protocol-relative URLs (e.g., //evil.com/…) override the base URL’s host, enabling potential SSRF if user-controlled input is passed to ge...
PT-2026-7153
Name of the Vulnerable Software and Affected Versions Faraday versions prior to 2.14.1 Description Faraday is an HTTP client library abstraction layer. A flaw exists in the build exclusive url method located in lib/faraday/connection.rb due to the use of Ruby’s URImerge function. This allows an...
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Impact Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs e.g. //evil.com/path are treated as network-path references that override the base URL's host/authority...
CVE-2026-25149 Qwik City Open Redirect via fixTrailingSlash
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convinci...
CVE-2026-25149
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convinci...
EUVD-2026-5169
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convinci...
CVE-2026-25149
CVE-2026-25149 describes an Open Redirect in Qwik City’s default request handler middleware (fixTrailingSlash) affecting qwik-city prior to v1.19.0. The vulnerability lets remote attackers craft links that redirect victims to arbitrary protocol-relative URLs, enabling phishing-like redirects from...
CVE-2026-25149 Qwik City Open Redirect via fixTrailingSlash
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convinci...
Qwik City Open Redirect via fixTrailingSlash
Summary Description An Open Redirect CWE-601 vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from t...
PT-2026-6399
Summary Description An Open Redirect CWE-601 vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from t...
PT-2026-6274
Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.19.0 Description An Open Redirect issue exists in Qwik City’s default request handler middleware. This allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation could allow...
CVE-2026-21879 Kanboard vulnerable to Open Redirect via protocol-relative URLs
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the...
CVE-2026-21879 Kanboard vulnerable to Open Redirect via protocol-relative URLs
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the...
GO-2025-4226 Miniflux has an Open Redirect via protocol-relative redirect_url in miniflux.app
Miniflux has an Open Redirect via protocol-relative redirecturl in miniflux.app...
CVE-2025-67713
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirecturl as safe when url.Parse....IsAbs is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via the redirecturl parameter when url.Parse....IsAbs is false. An attacker can redirect users to malicious sites by supplying a protocol-relative URL with an empty scheme, which is improperly validated and allows...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via the redirecturl parameter when url.Parse....IsAbs is false. An attacker can redirect users to malicious sites by supplying a protocol-relative URL with an empty scheme, which is improperly validated and allows...
CVE-2025-67713 Miniflux 2 has an Open Redirect via protocol-relative `redirect_url`
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirecturl as safe when url.Parse....IsAbs is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to...