Lucene search
K

9 matches found

OSV
OSV
added 2026/06/12 6:23 p.m.8 views

GHSA-WXQ7-X3QP-VCR8 Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker

Summary The buildMatcherRegex / matches functions in packages/backend-core/src/middleware/matchers.ts share the same structural root cause as the recently patched CVE-2026-31816: route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the...

6.5CVSS5.4AI score0.00115EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/12 6:23 p.m.16 views

Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker

Summary The buildMatcherRegex / matches functions in packages/backend-core/src/middleware/matchers.ts share the same structural root cause as the recently patched CVE-2026-31816: route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the...

6.5CVSS5.5AI score0.00115EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/05 9:29 p.m.2 views

CVE-2026-40110 jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS5.9AI score0.00333EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/04/24 7:17 p.m.3 views

CVE-2026-41428 Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint ...

9.1CVSS5.5AI score0.00445EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2018-20752

Malware in sbrugna...

7.2CVSS7AI score0.01226EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2019-7626

Malware in sbrugna...

7.5CVSS7.5AI score0.09957EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2018-9723

Malware in sbrugna...

7.8CVSS7.7AI score0.03369EPSS
Exploits1References4
OSV
OSV
added 2018/04/16 9:58 a.m.4 views

CVE-2018-9153

The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the appid parameter to zbusers/plugin/AppCentre/pluginedit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directl...

7.2CVSS6AI score0.01226EPSS
Exploits0References1
Prion
Prion
added 2018/04/16 9:58 a.m.18 views

Cross site request forgery (csrf)

The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the appid parameter to zbusers/plugin/AppCentre/pluginedit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directl...

6.5CVSS8.2AI score0.01226EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder