Lucene search
K

3850 matches found

CVE
CVE
added 2026/06/22 8:48 p.m.21 views

CVE-2026-54281

The CVE concerns NestJS with the Fastify adapter: an authentication bypass exists in @nestjs/platform-fastify before version 11.1.24 when middleware is registered via MiddlewareConsumer.forRoutes(). A trailing slash on the request URL can bypass route-specific Nest middleware on the default Fasti...

8.7CVSS5.9AI score0.00285EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 8:48 p.m.41 views

CVE-2026-54281 Nest: Middleware Bypass on Fastify via Trailing Slash

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated clien...

8.7CVSS0.00285EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 5:30 p.m.32 views

CVE-2026-54300 @astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config

@astrojs/netlify is an adapter that allows Astro to deploy your hybrid or server rendered site to Netlify. Prior to 7.0.13, @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remoteimages regular expressions with broader semantics than Astro's canonical matcher. A...

5.3CVSS0.00187EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 5:13 p.m.34 views

CVE-2026-54287 Hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attribute...

5.3CVSS0.00186EPSS
Exploits0References1
OSV
OSV
added 2026/06/22 5:13 p.m.2 views

CVE-2026-54287 Hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attribute...

5.3CVSS6AI score0.00186EPSS
Exploits0References3
CVE
CVE
added 2026/06/22 5:13 p.m.27 views

CVE-2026-54287

Summary: Hono’s AWS Lambda adapter, in the ALB single-header mode and VPC Lattice v2, concatenates multiple Set-Cookie headers into a single comma-separated value, causing cookie attributes that include commas (e.g., Expires) to be misparsed or dropped. Affected components: Hono web framework; AW...

5.3CVSS5.9AI score0.00186EPSS
Exploits0References1
OSV
OSV
added 2026/06/19 7:35 p.m.4 views

GHSA-7WQV-XJF3-X35V parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Impact The default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g. poc.svg.. The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the...

2.1CVSS5.8AI score0.00281EPSS
Exploits0References5
OSV
OSV
added 2026/06/19 6:19 p.m.3 views

CVE-2026-49336 @microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter

@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, @microsoft/kiota-http-fetchlibrary's RedirectHandler is documented as stripping Authorization and Cookie from cross-origin redirect targets, bu...

6.9CVSS6AI score0.0065EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/06/17 3:22 p.m.27 views

Important: Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.19.0-1 Update

Custom Metrics Autoscaler Operator for Red Hat OpenShift updates. The following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available: custom-metrics-autoscaler-adapter-container custom-metrics-autoscaler-admission-webhooks-container...

10CVSS7.1AI score0.01945EPSS
Exploits4References13
NVD
NVD
added 2026/06/16 3:16 p.m.10 views

CVE-2026-0646

A denial-of-service security issue exists within the 1794-AENTR adapter due to improper memory handling of CIP protocol requests. This vulnerability can result in the adapter faulting and losing connection to its associated I/O modules, requiring a manual reset to recover...

8.7CVSS0.00343EPSS
Exploits0References1
NVD
NVD
added 2026/06/16 3:16 p.m.13 views

CVE-2026-0647

An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthenticated attacker to change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint, without any prior authentication...

8.8CVSS0.00435EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/16 2:19 p.m.34 views

CVE-2026-0646 Rockwell Automation FLEX I/O Dual-port EtherNet/IP Adapters – Multiple Vulnerabilities

A denial-of-service security issue exists within the 1794-AENTR adapter due to improper memory handling of CIP protocol requests. This vulnerability can result in the adapter faulting and losing connection to its associated I/O modules, requiring a manual reset to recover...

8.7CVSS0.00343EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/16 2:8 p.m.16 views

hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

Summary On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes for example Expires dates, clients cannot split the value back into individual cookies and...

5.3CVSS5.3AI score0.00186EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/15 8:36 p.m.8 views

Incorrect Authorization

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Incorrect Authorization via the MiddlewareConsumer.forRoutes API on the Fastify adapter. An attacker can gain unauthorized access to...

8.7CVSS5.9AI score0.00285EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 8:36 p.m.10 views

Nest: Middleware Bypass on Fastify via Trailing Slash

Impact An authentication bypass vulnerability exists in @nestjs/platform-fastify confirmed on version 11.1.24, the latest available release at time of report. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated client can bypa...

8.7CVSS5.3AI score0.00285EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/06/15 8:8 a.m.10 views

Information Exposure

Axios is vulnerable to Information Exposure. The vulnerability is due to improper handling of the Proxy-Authorization header in the Node.js HTTP adapter, where proxy credentials can be forwarded to a redirected destination during certain proxy-to-direct redirect flows, allowing an...

8.2CVSS5.3AI score0.00664EPSS
Exploits1References32Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.24 views

PT-2026-49595

Name of the Vulnerable Software and Affected Versions @nestjs/platform-fastify versions prior to 11.1.24 Description An authentication bypass exists in the Fastify adapter when middleware is registered through the MiddlewareConsumer.forRoutes API. An unauthenticated client can bypass registered...

8.7CVSS5.4AI score0.00285EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/06/12 6:34 p.m.13 views

CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...

2.1CVSS5.1AI score0.00281EPSS
Exploits0References3
Veracode
Veracode
added 2026/06/12 11:29 a.m.15 views

Improper Error Handling

@hulumi/drift is vulnerable to Improper Error Handling. The vulnerability is due to the classifier failing open on adapter errors and incorrectly promoting mixed verdicts, which allows incorrect classification results and may enable unauthorized or unintended actions based on inaccurate trust...

5.2AI score0.0004EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/12 1:9 a.m.15 views

CVE-2026-44487

A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final...

8.2CVSS5.1AI score0.00664EPSS
Exploits1References4
Rows per page
Query Builder