Lucene search
K

7 matches found

RedhatCVE
RedhatCVE
added 2026/06/25 5:11 a.m.14 views

CVE-2026-55602

A flaw was found in http-proxy-middleware before 2.0.10, 3.0.6, and 4.1.0. Router proxy-table host+path matching uses unanchored substring comparison on the Host header, so a crafted Host value that superstring-matches a configured key can route requests to an unintended backend...

8.6CVSS5.8AI score0.0034EPSS
Exploits1References4
NVD
NVD
added 2026/06/22 6:16 p.m.9 views

CVE-2026-55602

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request...

8.6CVSS0.0034EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/22 3:58 p.m.31 views

CVE-2026-55602 http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request...

6.9CVSS0.0034EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 3:58 p.m.4 views

CVE-2026-55602

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request...

6.9CVSS5.9AI score0.0034EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2026/06/20 5:55 a.m.7 views

Improper Request Routing

http-proxy-middleware is vulnerable to improper request routing. The vulnerability is due to unanchored substring matching in the host+path router selector logic, where configured host+path entries are matched against attacker-controlled request metadata using partial string comparisons instead o...

8.6CVSS5.8AI score0.0034EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/03/26 6:45 p.m.7 views

EUVD-2026-14984

Astro: Remote allowlist bypass via unanchored matchPathname wildcard...

6.3CVSS5.8AI score0.00325EPSS
Exploits1References2
CVE
CVE
added 2026/03/24 6:44 p.m.23 views

CVE-2026-33769

CVE-2026-33769 affects the Astro web framework. From version 2.10.10 up to before 5.18.1, the remotePatterns path enforcement for remote URLs used by server-side fetchers (e.g., image optimization) uses an unanchored match for /* wildcards, allowing a pathname containing the allowed prefix later ...

6.3CVSS5.8AI score0.00325EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder