Lucene search
+L

568 matches found

redhatcve
redhatcve
added 6 days ago6 views

CVE-2026-54528

A flaw was found in JupyterLab Git, a Git extension for JupyterLab. This vulnerability allows an authenticated user on a case-insensitive filesystem to bypass administrator-configured excluded paths by varying the case of the URL path segment. This bypass enables the user to read file content, vi...

7.1CVSS6AI score0.00285EPSS
Exploits1References6
nessus
nessus
added 6 days ago9 views

Linux Distros Unpatched Vulnerability : CVE-2026-55170

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely ...

5.4CVSS6.1AI score0.00248EPSS
Exploits0References2
cvelist
cvelist
added last week33 views

CVE-2026-55170 OpenFGA MySQL backend: case-insensitive collation on identifier columns causes incorrect authorization decisions

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorizationmodel identifier columns can compare case-distinct values such as...

2.1CVSS0.00248EPSS
Exploits0References5
cve
cve
added last week22 views

CVE-2026-55170

OpenFGA Open Source CVE-2026-55170 affects the MySQL datastore when decisions rely on case-sensitive user strings. The tuple, changelog, and authorization_model identifier columns can treat case-distinct values (e.g., user:Alice vs user:alice) as equivalent, potentially causing two distinct check...

5.4CVSS5.9AI score0.00248EPSS
Exploits0References5Affected Software2
nvd
nvd
added 2026/07/08 9:16 p.m.9 views

CVE-2026-54528

JupyterLab Git is a Git extension for JupyterLab. Prior to 0.54.0, jupyterlab-git uses fnmatch.fnmatchcase in GitHandler.prepare in jupyterlabgit/handlers.py to enforce excludedpaths, allowing an authenticated user on a case-insensitive filesystem to vary URL path casing and read excluded...

7.1CVSS0.00285EPSS
Exploits1References3
osv
osv
added 2026/07/08 9:4 p.m.6 views

CVE-2026-54528 jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories

JupyterLab Git is a Git extension for JupyterLab. Prior to 0.54.0, jupyterlab-git uses fnmatch.fnmatchcase in GitHandler.prepare in jupyterlabgit/handlers.py to enforce excludedpaths, allowing an authenticated user on a case-insensitive filesystem to vary URL path casing and read excluded...

7.1CVSS6.1AI score0.00285EPSS
Exploits1References5
cve
cve
added 2026/07/08 9:4 p.m.27 views

CVE-2026-54528

Summary of vulnerability (CVE-2026-54528): The jupyterlab-git extension for JupyterLab is affected prior to version 0.54.0. On case-insensitive filesystems (e.g., macOS APFS, Windows NTFS), the code path that enforces excluded_paths uses fnmatch.fnmatchcase(), which is case-sensitive and can be b...

7.1CVSS6AI score0.00285EPSS
Exploits1References3Affected Software1
osv
osv
added 2026/07/01 9:2 a.m.2 views

OPENSUSE-SU-2026:21201-1 Security update for jackson-annotations, jackson-core, jackson-databind

This update for jackson-annotations, jackson-core, jackson-databind fixes the following issues - CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation bsc1268897. - CVE-2026-54513: jackson-databind has an array...

8.1CVSS6.1AI score0.00695EPSS
Exploits1References9
nvd
nvd
added 2026/06/28 2:16 a.m.10 views

CVE-2026-58057

Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows, where environment names are case-insensitive, supplying 'nodeoptions' bypasses the NODEOPTIONS denylist entry. An authenticated user who can configure a Custo...

5CVSS0.00827EPSS
Exploits3References3
cve
cve
added 2026/06/28 1:32 a.m.35 views

CVE-2026-58057

Flowise before 3.1.3 is affected: a case-sensitive denylist for Custom MCP stdio environment variables allows bypass on Windows (case-insensitive env names). An authenticated user who can configure a Custom MCP node can inject NODE_OPTIONS --require to execute arbitrary code in the Flowise server...

5CVSS6.1AI score0.00827EPSS
Exploits3References3Affected Software1
ptsecurity
ptsecurity
added 2026/06/28 12:0 a.m.16 views

PT-2026-53089

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.3 Description An authenticated user can execute arbitrary code in the server context by configuring a Custom MCP node. The issue occurs because environment variables are validated against a denylist using a...

5CVSS6.1AI score0.00827EPSS
Exploits3References12
osv
osv
added 2026/06/26 10:10 p.m.3 views

GHSA-2FMJ-P74R-3WJM PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)

Summary pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist: php if 0 === \strpos$filename, 'phar://' throw new \InvalidArgumentException'The output file cannot be a phar archive.'; PHP stream wrappers are case-insensitive, so...

8.1CVSS6.5AI score0.00555EPSS
Exploits0References6
redhat
redhat
added 2026/06/25 5:36 p.m.7 views

keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...

7.3CVSS6.5AI score0.00419EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2026/06/25 4:16 p.m.8 views

CVE-2026-9086 Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...

7.3CVSS6.5AI score0.00419EPSS
Exploits0References6
cvelist
cvelist
added 2026/06/25 4:16 p.m.64 views

CVE-2026-9086 Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...

7.3CVSS0.00419EPSS
Exploits0References6
redhatcve
redhatcve
added 2026/06/25 4:1 p.m.13 views

CVE-2026-9086

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...

7.3CVSS6.5AI score0.00419EPSS
Exploits0References3
susecve
susecve
added 2026/06/25 2:19 a.m.8 views

SUSE CVE-2026-54515

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a...

5.3CVSS5.8AI score0.00345EPSS
Exploits0References5
astralinux
astralinux
added 2026/06/24 3:11 p.m.6 views

Astra Linux – Vulnerability in cups

OpenPrinting CUPS is an open-source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and earlier, the CUPS daemon cupsd contained a authorization bypass vulnerability due to case-insensitive username comparisons during authorization checks. This vulnerability...

6.3CVSS5.8AI score0.00317EPSS
Exploits1References3
redhatcve
redhatcve
added 2026/06/24 7:25 a.m.7 views

CVE-2026-53622

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection allows unauthenticated clients to bypass router-specific mutual Transport Layer Security mTLS enforcement. When HTTP/3 is enabled and a router use...

10CVSS5.9AI score0.0024EPSS
Exploits1References5
snyk
snyk
added 2026/06/23 9:23 p.m.5 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the BeanDeserializerBase.createContextual method, which applies the per-property exclusions through handleByNameInclusion and then rebuilds the property m...

6.9CVSS5.8AI score0.00345EPSS
Exploits0References2
Rows per page
Query Builder