DEBIAN-CVE-2026-28348

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.4, the hassneakyjavascript method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression filters,...

CVE-2026-27585 Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations...

PT-2026-21767

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 2.11.1 Description The path sanitization routine in Caddy's file matcher does not properly sanitize backslashes, potentially allowing bypass of path-related security protections. This issue affects users with specific...

UBUNTU-CVE-2021-23385

This affects all versions of package Flask-Security. When using the getpostlogoutredirect and getpostloginredirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\evil.com/path. This vulnerability is only...