460 matches found
Remote Code Execution (RCE)
Apache Camel is vulnerable to Remote Code Execution. The vulnerability is due to inconsistent case-sensitive header filtering in non-HTTP HeaderFilterStrategy implementations, which allows an attacker to inject malicious headers that are later interpreted by downstream components to execute...
CVE-2026-3833 Gnutls: gnutls: policy bypass due to case-sensitive nameconstraints comparison
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName DNS or rfc822Name email constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf...
CVE-2026-3833 Gnutls: gnutls: policy bypass due to case-sensitive nameconstraints comparison
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName DNS or rfc822Name email constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the enforcement of X.509 nameConstraints due to case-sensitive comparisons for dNSName and the domain portion of rfc822Name. An attacker can gain unauthorized certificate validation and potential...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to a flaw in the default filtering mechanism HeaderFilterStrategy that only blocks headers starting with specific prefixes. An attacker can execute arbitrary code and write files by injecting...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to a flaw in the default filtering mechanism HeaderFilterStrategy that only blocks headers starting with specific prefixes. An attacker can execute arbitrary code and write files by injecting...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to a flaw in the default filtering mechanism HeaderFilterStrategy that only blocks headers starting with specific prefixes. An attacker can execute arbitrary code and write files by injecting...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to a flaw in the default filtering mechanism HeaderFilterStrategy that only blocks headers starting with specific prefixes. An attacker can execute arbitrary code and write files by injecting...
CVE-2026-40453 Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection
The fix for CVE-2025-27636 added setLowerCasetrue to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCasetrue call was not applied to five non-HTTP HeaderFilterStrategy...
Interpretation Conflict
Overview Affected versions of this package are vulnerable to Interpretation Conflict due to case-sensitive handling of the host matching process. An attacker can bypass access control policies by sending requests with hostnames that differ only in letter casing, potentially gaining unauthorized...
Heimdall: Case-sensitive host matching may lead to policy bypass
Summary Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than...
GHSA-43JV-5J4X-QV67 Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
Summary Heimdall handles URL-encoded slashes %2F in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent %2f is not recognized and therefore not processed as expected when allowencodedslashes is set to off the default setting. Th...
Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
Summary Heimdall handles URL-encoded slashes %2F in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent %2f is not recognized and therefore not processed as expected when allowencodedslashes is set to off the default setting. Th...
PT-2026-37187
Name of the Vulnerable Software and Affected Versions Heimdall versions prior to 0.17.14 Description Heimdall performs host matching in a case-sensitive manner, which conflicts with the case-insensitive nature of HTTP hostnames. This discrepancy allows a request host that differs only in letter...
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Summary When dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a or block could break out of the tag with , , etc. and inject arbitrary HTML/JavaScript, resulting in...
JLSEC-2026-115 Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass
Summary A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing for...
BIT-GOLANG-2026-33810 Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the...
PT-2026-32425
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the...
Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
...
SUSE CVE-2026-31842
Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The ischunkedtransfer function uses strcmp to compare the header value against "chunked", even though RFC 7230 specifies that...