Lucene search
K

215 matches found

OSV
OSV
β€’added 2026/05/19 7:16 p.m.β€’6 views

UBUNTU-CVE-2026-33637

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...

6.5CVSS5.7AI score0.00272EPSS
Exploits1References4
Vulnrichment
Vulnrichment
β€’added 2026/05/19 5:44 p.m.β€’7 views

CVE-2026-33637 Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix for GHSA-33mh-2634-fwr2)

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...

5.7AI score0.00272EPSS
Exploits1References2
Cvelist
Cvelist
β€’added 2026/05/19 5:44 p.m.β€’39 views

CVE-2026-33637 Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix for GHSA-33mh-2634-fwr2)

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...

0.00272EPSS
Exploits1References2
EUVD
EUVD
β€’added 2026/05/19 5:44 p.m.β€’15 views

EUVD-2026-30966

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...

5.7AI score0.00272EPSS
Exploits1References2
CVE
CVE
β€’added 2026/05/19 5:44 p.m.β€’17 views

CVE-2026-33637

Faraday (HTTP client library) vulnerability CVE-2026-33637 affects versions 2.0.0–2.14.1, where protocol-relative host override is still possible when the request target is passed as a URI object to Faraday::Connection#build_exclusive_url. This can enable off-host request forgery by redirecting a...

6.5CVSS5.7AI score0.00272EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
β€’added 2026/05/19 5:44 p.m.β€’9 views

CVE-2026-33637

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...

5.7AI score0.00272EPSS
Exploits1References3Affected Software1
Debian CVE
Debian CVE
β€’added 2026/05/19 5:44 p.m.β€’10 views

CVE-2026-33637

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...

6.5CVSS5.7AI score0.00272EPSS
Exploits1
Github Security Blog
Github Security Blog
β€’added 2026/05/18 2:51 p.m.β€’21 views

Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping

Summary Faraday::Connectionbuildexclusiveurl still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to ...

6.5CVSS6AI score0.00272EPSS
Exploits1References5Affected Software1
OSV
OSV
β€’added 2026/05/18 2:51 p.m.β€’5 views

GHSA-5RV5-XJ5J-3484 Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping

Summary Faraday::Connectionbuildexclusiveurl still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to ...

6AI score0.00272EPSS
Exploits1References5
RubySec
RubySec
β€’added 2026/05/18 12:0 a.m.β€’47 views

Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 - protocol-relative URI objects still bypass host scoping

Summary Faraday::Connectionbuildexclusiveurl still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to ...

6.5CVSS5.9AI score0.00272EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
β€’added 2026/05/18 12:0 a.m.β€’15 views

PT-2026-41685

Name of the Vulnerable Software and Affected Versions Faraday versions 2.0.0 through 2.14.1 Description Faraday is an HTTP client library abstraction layer. A flaw exists where protocol-relative host override is possible when the request target is passed as a URI object instead of a String to the...

5.8AI score0.00272EPSS
Exploits1References6
NVD
NVD
β€’added 2026/05/14 10:16 p.m.β€’25 views

CVE-2026-44427

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path e.g., //evil.com/ tha...

0.00409EPSS
Exploits0References1
EUVD
EUVD
β€’added 2026/05/14 9:7 p.m.β€’12 views

EUVD-2026-30491

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path e.g., //evil.com/ tha...

5.8AI score0.00409EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
β€’added 2026/05/14 9:7 p.m.β€’7 views

CVE-2026-44427

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path e.g., //evil.com/ tha...

5.8AI score0.00409EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
β€’added 2026/05/14 9:7 p.m.β€’10 views

CVE-2026-44427 MCP Registry: Open Redirect

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path e.g., //evil.com/ tha...

5.8AI score0.00409EPSS
Exploits0References1
CVE
CVE
β€’added 2026/05/14 9:7 p.m.β€’31 views

CVE-2026-44427

The CVE-2026-44427 entry concerns the MCP Registry’s TrailingSlashMiddleware (internal/api/server.go), affecting versions 1.1.0–1.7.4. The vulnerability is an open redirect caused by processing protocol-relative paths (e.g., //evil.com/) without validating the redirect target after trimming trail...

5.8AI score0.00409EPSS
Exploits0References1
Vulnrichment
Vulnrichment
β€’added 2026/05/13 8:30 p.m.β€’8 views

CVE-2026-44372 Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References4
CVE
CVE
β€’added 2026/05/13 8:30 p.m.β€’26 views

CVE-2026-44372

CVE-2026-44372 affects Nitro, a server toolkit, with an Open Redirect via a protocol-relative URL bypass in wildcard route rules. Before the patch, a redirect rule using a wildcard could be manipulated to redirect cross-host by sliding an extra slash after the rule prefix. The issue is fixed in N...

6.1CVSS5.8AI score0.00237EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
β€’added 2026/05/13 8:30 p.m.β€’35 views

CVE-2026-44372 Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta...

5.3CVSS0.00237EPSS
Exploits0References4
Nextcloud
Nextcloud
β€’added 2026/05/12 8:51 a.m.β€’16 views

Open Redirect in user_oidc login flow via protocol-relative URL bypass

None...

6.1CVSS5.8AI score0.00232EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder