Lucene search
+L

24 matches found

Snyk
Snyk
added 2026/07/08 10:38 p.m.5 views

Improper Authentication

Overview github.com/nats-io/nats-server/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to Improper Authentication in the parser fast path for inter-server connections, which applies a...

8.8CVSS6.1AI score0.00368EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/29 12:0 a.m.11 views

Linux Distros Unpatched Vulnerability : CVE-2026-55677

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the...

7.5CVSS6.1AI score0.0043EPSS
Exploits0References3
NVD
NVD
added 2026/06/26 6:17 p.m.6 views

CVE-2026-48743

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer HEADERS with FIN / headers-only close but still carries a nonzero...

7.5CVSS0.00298EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 5:34 p.m.6 views

CVE-2026-48743

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer HEADERS with FIN / headers-only close but still carries a nonzero...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/06/26 5:34 p.m.32 views

CVE-2026-48743

Envoy (open source edge/service proxy) contains a HTTP/3 to HTTP/1 request smuggling vulnerability prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1. A downstream HTTP/3 request that is complete at the transport layer with a nonzero Content-Length can be mistranslated into a complete upstream...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2026/06/12 3:16 p.m.13 views

CVE-2026-53721

Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4...

8.8CVSS0.00294EPSS
Exploits0References3
OSV
OSV
added 2026/06/11 1:26 p.m.13 views

GHSA-XF64-8MW2-4GR2 Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization

Summary There is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing...

7.8CVSS5.6AI score0.00591EPSS
Exploits2References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.10 views

CVE-2026-44373

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...

5.3CVSS5.5AI score0.00392EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/06/03 12:0 a.m.16 views

Linux Distros Unpatched Vulnerability : CVE-2026-44573

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n...

7.5CVSS5.8AI score0.00592EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/13 8:26 p.m.7 views

CVE-2026-44373 Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...

5.3CVSS5.8AI score0.00392EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/13 8:26 p.m.12 views

CVE-2026-44373

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...

5.3CVSS5.8AI score0.00392EPSS
Exploits0References6Affected Software2
OSV
OSV
added 2026/02/24 8:31 p.m.6 views

GHSA-G7PC-PC7G-H8JH Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

Summary Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that rou...

8.7CVSS5.7AI score0.0037EPSS
Exploits1References6
OSV
OSV
added 2026/02/24 4:28 p.m.9 views

CVE-2026-27588 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list 100 entries it becomes case-sensitive due to an optimized matching path. An attacker can bypass...

8.7CVSS5.7AI score0.0037EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/02/24 4:28 p.m.26 views

CVE-2026-27588 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list 100 entries it becomes case-sensitive due to an optimized matching path. An attacker can bypass...

8.7CVSS0.0037EPSS
Exploits1References2
CVE
CVE
added 2026/02/24 4:28 p.m.97 views

CVE-2026-27588

Summary (CVE-2026-27588) Caddy (v2.x) vulnerability in the host matcher: when a large allowlist (>100 hosts) is configured, the MatchHost algorithm uses a fast path that enforces a case-sensitive comparison, which makes the host matching effectively case-sensitive and can bypass host-based rou...

9.1CVSS5.6AI score0.0037EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/02/24 4:26 p.m.8 views

CVE-2026-27587 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...

8.7CVSS5.6AI score0.0037EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/02/24 4:26 p.m.15 views

CVE-2026-27587 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences %xx it compares against the request's escaped path without lowercasing. An...

8.7CVSS5.9AI score0.0037EPSS
Exploits1References2
Veracode
Veracode
added 2025/11/28 5:57 a.m.16 views

Server-Side Request Forgery (SSRF)

Astro is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insecure and unsanitized use of the x-forwarded-proto and x-forwarded-port headers when constructing URLs, which allows an attacker to manipulate these headers to bypass protected routes, poison caches, trigger...

6.5CVSS7.1AI score0.01189EPSS
Exploits2References5Affected Software1
RedhatCVE
RedhatCVE
added 2025/11/14 4:5 p.m.7 views

CVE-2025-64525

Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are:...

6.5CVSS6.9AI score0.01189EPSS
Exploits2References1
EUVD
EUVD
added 2025/11/13 10:46 p.m.12 views

EUVD-2025-175298

Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass...

6.5CVSS6.3AI score0.01189EPSS
Exploits2References5
Rows per page
Query Builder