7 matches found
GHSA-F8R2-VG7X-GH8M OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths
Summary matchesExecAllowlistPattern normalized patterns and targets with lowercasing and compiled glob matching too broadly on POSIX. In addition, the ? wildcard could match /, which allowed matches to cross path segments. Impact These matching rules could overmatch allowlist entries and permit...
GO-2026-4536 Unicode case-folding causes incorrect split_path index in github.com/caddyserver/caddy/v2
Unicode case-folding causes incorrect splitpath index in github.com/caddyserver/caddy/v2...
GHSA-5R3V-VC8M-M96G Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport
Summary Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because strings.ToLower can change UTF-8 byte length for some characters. As a result, Caddy can deri...
CVE-2026-27590 Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because...
GHSA-G966-83W7-6W38 FrankenPHP's unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FrankenPHP
Summary FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index for finding .php on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower in Go can increase the...
CVE-2023-53662
In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leaks in ext4fnamesetupfilename,preparelookup If the filename casefolding fails, we'll be leaking memory from the fscryptname struct, namely from the 'cryptobuf.name' member. Make sure we free it in the error pat...
PT-2022-36746 · Git +1 · Oniguruma
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: A heap-buffer-overflow READ 1 crash has been reported, involving functions such as onigenc mbn mbc case fold, euckr mbc case fold, and match at...