Lucene search
K

28 matches found

EUVD
EUVD
added yesterday7 views

EUVD-2026-42876

Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes. The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value a...

2.1CVSS6.1AI score
Exploits0References4
Cvelist
Cvelist
added yesterday24 views

CVE-2026-56813 Cookie attribute injection in Plug.Conn.Cookies.encode/2

Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes. The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value a...

2.1CVSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.9 views

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.4AI score0.00483EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/16 1:3 a.m.5 views

EUVD-2026-22881

@fastify/express has a middleware authentication bypass via URL normalization gaps duplicate slashes and semicolons...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/15 9:29 a.m.33 views

CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS0.00483EPSS
Exploits1References2
CVE
CVE
added 2026/04/15 9:29 a.m.22 views

CVE-2026-33808

CVE-2026-33808 affects fastify/express. Root cause: @fastify/express v4.0.4 and earlier fail to normalize URLs before passing to Express middleware when Fastify router normalization is enabled, allowing bypass of path-scoped authentication via duplicate slashes or semicolon delimiters. Outcome: a...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.13 views

PT-2026-33035

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.5 Description An issue exists where the software fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows an unauthenticated...

10CVSS5.2AI score0.00483EPSS
Exploits1References11
EUVD
EUVD
added 2026/02/28 2:47 a.m.7 views

EUVD-2026-9049

@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware...

8.2CVSS5.9AI score0.0039EPSS
Exploits0References6
Snyk
Snyk
added 2026/02/27 9:24 p.m.4 views

Interpretation Conflict

Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict via the middleware matching engine when router options like ignoreDuplicateSlashes, useSemicolonDelimiter, or other trailing-slash normalization are enabled. An...

9.1CVSS6AI score0.0039EPSS
Exploits0References2
NVD
NVD
added 2026/02/27 7:16 p.m.7 views

CVE-2026-2880

A vulnerability in @fastify/middie versions 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related...

9.1CVSS0.0039EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/27 6:25 p.m.2 views

CVE-2026-2880 @fastify/middie has an improper path normalization vulnerability

A vulnerability in @fastify/middie versions 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related...

8.2CVSS5.9AI score0.0039EPSS
Exploits0References1
OSV
OSV
added 2026/02/27 6:25 p.m.5 views

CVE-2026-2880 @fastify/middie has an improper path normalization vulnerability

A vulnerability in @fastify/middie versions 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related...

8.2CVSS5.9AI score0.0039EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2025/11/11 7:52 p.m.5 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/11 3:5 p.m.6 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/10 1:37 a.m.5 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/06 2:27 a.m.4 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/06 2:27 a.m.6 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/05 11:49 p.m.8 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/04 11:37 p.m.4 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2025/11/04 5:6 p.m.6 views

rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

An unsafe default behavior in Rack::QueryParser allows bypass of the paramslimit parameter count restriction when query string parameters are delimited by semicolons ; rather than ampersands &. The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, ...

7.5CVSS6.9AI score0.00535EPSS
Exploits0References6
Rows per page
Query Builder