Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization

Description Symfony\Component\Routing\Generator\UrlGenerator::doGenerate percent-encodes . and .. path segments so that the generated URL still resolves to the originating route after RFC 3986 §5.2.4 dot-segment removal which strict RFC-3986 consumers — routers, reverse proxies, HTTP clients —...

Exploit for Cross-site Scripting in Bdtask Multi_Store_Inventory_Management_System

CVE-2024-2997 Scanner !Versionhttps://img.shields.io/badge...

GHSA-7GCC-R8M5-44QM Koa has Host Header Injection via ctx.hostname

Summary Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol e.g., evil.com:[email protected] is received,...

Koa has Host Header Injection via ctx.hostname

Summary Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol e.g., evil.com:[email protected] is received,...

CVE-2026-27959

A flaw was found in Koa’s ctx.hostname API used in Node.js applications. The function incorrectly parses specially crafted HTTP Host headers containing an @ character, which can cause the extracted hostname value to differ from the intended origin. An attacker can exploit this behavior by sending...

CVE-2026-27959

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed...

CVE-2026-27959 Koa has Host Header Injection via `ctx.hostname`

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed...

CVE-2026-27959

Koa (Node.js) prior to versions 3.1.2 and 2.16.4 exposes a vulnerability in ctx.hostname: it naively parses the Host header and returns an attacker-controlled value when the header contains an invalid RFC 3986 hostname (e.g., with a @). This can affect URL generation, password reset links, email ...

EUVD-2022-2651

Malicious code in bioql PyPI...

Exploit for External Control of File Name or Path in Microsoft

CVE-2025-33053 Proof Of Concept This repository provides scri...

CVE-2021-41114

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the...

Host Header Injection

pimcore/admin-ui-classic-bundle is vulnerable to Host Header Injection. The vulnerability is caused due to unsafely using the host header from incoming HTTP requests when generating URLs in the function invitationLinkAction within UserController.php , specifically in the way $loginUrl trusts user...

Gitea XSS Vulnerability

Gitea 1.7.0 and earlier is affected by: Cross Site Scripting XSS. The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically...

Cross-Site Scripting (XSS)

tableexport.jquery.plugin is vulnerable to cross-site scripting. The vulnerability exists in the parseString function in tableExport.js due to a lack of sanitization in the url generation which allows a malicious attacker to steal sensitive information...

Invalid URL generation in bitlyshortener

Impact Due to a sudden upstream breaking change by Bitly, versions of bitlyshortener 0.6.0 generate invalid short URLs. All users are affected and must update immediately. Patches Upgrading bitlyshortener to 0.6.0 or newer will prevent the generation such invalid short URLs. Workarounds A...

GHSA-RCRV-228C-GPRJ Invalid URL generation in bitlyshortener

Impact Due to a sudden upstream breaking change by Bitly, versions of bitlyshortener 0.6.0 generate invalid short URLs. All users are affected and must update immediately. Patches Upgrading bitlyshortener to 0.6.0 or newer will prevent the generation such invalid short URLs. Workarounds A...

Indico Tampering with links (e.g. password reset) in sent emails

Impact An external audit of the Indico codebase has discovered a vulnerability in Indico's URL generation logic which could have allowed an attacker to make Indico send a password reset link with a valid token pointing to an attacker-controlled domain by sending that domain in the Host header. Ha...

GHSA-WGPJ-7C2J-VFJM Indico Tampering with links (e.g. password reset) in sent emails

Impact An external audit of the Indico codebase has discovered a vulnerability in Indico's URL generation logic which could have allowed an attacker to make Indico send a password reset link with a valid token pointing to an attacker-controlled domain by sending that domain in the Host header. Ha...

Cross site scripting

Scripts in Sling CMS before 0.16.0 do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks...

Quickly Extend Live Streams with VOD Clipping

Time is always of the essence to extend compelling video content such as sporting events and concerts and make the most of media rights windows. This is especially true for catch-up TV, highlight creation, time-shifting 24/7 simulcast streams, and social sharing. At Akamai, we are continually...