CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2 days ago•17 views

CVE-2026-54281 Nest: Middleware Bypass on Fastify via Trailing Slash

8.7CVSS0.00285EPSS

CVE•added 2 days ago•15 views

CVE-2026-54281

The CVE concerns NestJS with the Fastify adapter: an authentication bypass exists in @nestjs/platform-fastify before version 11.1.24 when middleware is registered via MiddlewareConsumer.forRoutes(). A trailing slash on the request URL can bypass route-specific Nest middleware on the default Fasti...

8.7CVSS5.9AI score0.00285EPSS

OSV•added 2026/06/15 8:36 p.m.•4 views

GHSA-6V32-FJC9-9QF6 Nest: Middleware Bypass on Fastify via Trailing Slash

Impact An authentication bypass vulnerability exists in @nestjs/platform-fastify confirmed on version 11.1.24, the latest available release at time of report. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated client can bypa...

8.7CVSS5.3AI score0.00285EPSS

Snyk•added 2026/06/15 8:36 p.m.•4 views

Incorrect Authorization

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Incorrect Authorization via the MiddlewareConsumer.forRoutes API on the Fastify adapter. An attacker can gain unauthorized access to...

8.7CVSS5.9AI score0.00285EPSS

Github Security Blog•added 2026/06/15 8:36 p.m.•7 views

Nest: Middleware Bypass on Fastify via Trailing Slash

8.7CVSS5.3AI score0.00285EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2026/06/15 12:0 a.m.•5 views

PT-2026-49595

Name of the Vulnerable Software and Affected Versions @nestjs/platform-fastify versions prior to 11.1.24 Description An authentication bypass exists in the Fastify adapter when middleware is registered through the MiddlewareConsumer.forRoutes API. An unauthenticated client can bypass registered...

8.7CVSS5.4AI score0.00285EPSS

Exploits0References5

OSV•added 2026/06/12 6:23 p.m.•6 views

GHSA-X4R9-GMW3-HXWW GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution

Summary A GeoServer that uses ENTITYRESOLUTIONALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery SSRF. Details This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITYRESOLUTIONALLOWLIST default since 2.25.0: Impact This...

6.5CVSS5.4AI score0.00287EPSS

Exploits0References3

Github Security Blog•added 2026/06/12 6:23 p.m.•18 views

GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution

8.2CVSS5.3AI score0.00287EPSS

Exploits0References3Affected Software2

Tenable Nessus•added 2026/06/11 12:0 a.m.•8 views

openSUSE 16 Security Update : syft (openSUSE-SU-2026:20928-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20928-1 advisory. Changes in syft: - Update to version 1.45.0: Added Features - Add support for ZapAddOns as jar files 4654 4932 @douglasclarke - MySQL binary classifier...

9.8CVSS5.7AI score0.01323EPSS

Cvelist•added 2026/06/02 3:35 p.m.•38 views

CVE-2026-45554 NiceGUI: Unauthenticated log-flood DoS via trailing slash on ESM and per-component resource routes

NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside...

5.3CVSS0.00343EPSS

Vulnrichment•added 2026/06/02 3:35 p.m.•8 views

CVE-2026-45554 NiceGUI: Unauthenticated log-flood DoS via trailing slash on ESM and per-component resource routes

5.3CVSS5.8AI score0.00343EPSS

Cvelist•added 2026/05/14 9:7 p.m.•41 views

CVE-2026-44427 MCP Registry: Open Redirect

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. From 1.1.0 to 1.7.4, the TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path e.g., //evil.com/ tha...

0.00409EPSS

CVE•added 2026/05/14 9:7 p.m.•29 views

CVE-2026-44427

The CVE-2026-44427 entry concerns the MCP Registry’s TrailingSlashMiddleware (internal/api/server.go), affecting versions 1.1.0–1.7.4. The vulnerability is an open redirect caused by processing protocol-relative paths (e.g., //evil.com/) without validating the redirect target after trimming trail...

ATTACKERKB•added 2026/05/14 9:7 p.m.•5 views

CVE-2026-44427

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/14 9:7 p.m.•6 views

CVE-2026-44427 MCP Registry: Open Redirect

OSV•added 2026/05/08 5:2 p.m.•9 views

GHSA-V8VW-GW5J-W7M6 MCP Registry has open redirect via protocol-relative path in trailing-slash middleware

Summary The TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path e.g., //evil.com/ that, after trailing slash removal, results in a Location header of //evil.com — which browsers interpret as an...

7.1CVSS5.8AI score0.00409EPSS

Exploits0References6

Github Security Blog•added 2026/05/08 5:2 p.m.•42 views

MCP Registry has open redirect via protocol-relative path in trailing-slash middleware

Exploits0References6Affected Software1

Snyk•added 2026/05/08 5:2 p.m.•5 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect in the TrailingSlashMiddleware function. An attacker can redirect users to arbitrary external domains by crafting a request with a protocol-relative path, leading to potential phishing or malware distribution attacks...

7.1CVSS5.6AI score0.00409EPSS