curl: wcurl treats some URL operands after -- as curl options

I found that wcurl does not always keep operands after -- in a pure URL-data context. The documented way to pass curl options through wcurl is --curl-options, but a value supplied as a URL operand can still reach the final curl command as an option, for example wcurl -- "--url=file:///...". A...

CVE-2026-25223 Fastify's Content-Type header tab character allows body validation bypass

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character \t followed by arbitrary content ...

CVE-2026-25223

CVE-2026-25223 affects the Fastify web framework for Node.js. Before version 5.7.2, a validation bypass allows an attacker to bypass request body validation by appending a tab character to the Content-Type header, causing the server to process the body as the original content type without proper ...

CVE-2026-25223 Fastify's Content-Type header tab character allows body validation bypass

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character \t followed by arbitrary content ...

GHSA-JX2C-RXCM-JVMQ Fastify's Content-Type header tab character allows body validation bypass

Impact A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character \t followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the serve...

Fastify's Content-Type header tab character allows body validation bypass

Impact A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character \t followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the serve...

PT-2026-6281

Name of the Vulnerable Software and Affected Versions Fastify versions prior to 5.7.2 Description Fastify is a web framework for Node.js. A validation bypass exists where request body validation schemas specified by Content-Type can be circumvented. Appending a tab character t followed by arbitra...

PT-2026-6444

Impact A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character t followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server...

MiracleLinux 8 : mod_auth_openidc:2.3 (AXSA:2023-7316:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-7316:01 advisory. modauthopenidc: Open Redirect in oidcvalidateredirecturl using tab character CVE-2022-23527 modauthopenidc: NULL pointer dereference when...

GHSA-MQJC-X563-C9Q8 silverstripe/framework CSV Excel Macro Injection

In the CSV export feature of the CMS it's possible for the output to contain macros and scripts, which if imported without sanitisation into software including Microsoft Excel may be executed. In order to safeguard against this threat all potentially executable cell values exported from CSV will ...

mod_auth_openidc: Open Redirect in oidc_validate_redirect_url() using tab character

An open redirect vulnerability was found in modauthopenidc, an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. When providing a logout parameter to the redirect URI, the existing code in oidcvalidateredirecturl does not properly check for URLs that start...

mod_auth_openidc: Open Redirect in oidc_validate_redirect_url() using tab character

An open redirect vulnerability was found in modauthopenidc, an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. When providing a logout parameter to the redirect URI, the existing code in oidcvalidateredirecturl does not properly check for URLs that start...

K18263026: The BIG-IP HTTP parser can incorrectly parse a tab character

Security Advisory Description When scanning a URI, the HTTP parser on the BIG-IP system may periodically treat a tab character as white space, which causes incorrect URI parsing. For example, the BIG-IP system receives the following GET string in an HTTP request: GET \t/admin/ HTTP/1.0\r\n\r\n...

SUSE CVE-2022-24888

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders...

PT-2022-16958 · Nextcloud +1 · Nextcloud Server +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1 Description: The issue allows creating files and folders with leading and trailing , r, t, and v characters. The server rejects these characters when they appear in the...

CVE-2018-5143

URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting XSS attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially...

UBUNTU-CVE-2018-5143

URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting XSS attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially...

CVE-2018-7738

In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command within Bash by a different user, as demonstrated by logging in as root and entering umount followed by a tab...

Firefox allows for control characters to be set in cookies — Mozilla

Security researcher musicDespiteEverything reported an issue when ASCII code 11 for vertical tab is stored in a cookie in violation of RFC6265. This may result in incorrect cookie handling by servers, resulting in the potential ability to set cookie values and read cookie data from users in conce...

DEBIAN-CVE-2013-6933

The parseRTSPRequestString function in Live Networks Live555 Streaming Media 2011.08.13 through 2013.11.25, as used in VideoLAN VLC Media Player, allows remote attackers to cause a denial of service crash and possibly execute arbitrary code via a 1 space or 2 tab character at the beginning of an...