Lucene search
K

4633 matches found

Github Security Blog
Github Security Blog
added 2026/06/19 7:36 p.m.9 views

jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories

Summary jupyterlab-git 0.53.0 latest, 2026-04-30 uses fnmatch.fnmatchcase in GitHandler.prepare jupyterlabgit/handlers.py:91 to enforce the admin-configured excludedpaths security control. Because fnmatchcase is unconditionally case-sensitive, an authenticated user on a case-insensitive filesyste...

7.1CVSS6AI score0.00285EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/19 6:19 p.m.19 views

CVE-2026-49336 @microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter

@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, @microsoft/kiota-http-fetchlibrary's RedirectHandler is documented as stripping Authorization and Cookie from cross-origin redirect targets, bu...

6.9CVSS0.0065EPSS
Exploits0References2
CVE
CVE
added 2026/06/19 6:19 p.m.34 views

CVE-2026-49336

The CVE concerns @microsoft/kiota-http-fetchlibrary (TypeScript) in versions 1.0.0-preview.97–1.0.0-preview.101, where RedirectHandler’s scrubSensitiveHeaders uses case-sensitive deletion (delete headers.Authorization, delete headers.Cookie) on a headers object already lower-cased by FetchRequest...

6.9CVSS5.9AI score0.0065EPSS
Exploits0References2
NVD
NVD
added 2026/06/19 6:16 p.m.11 views

CVE-2026-49286

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so PHAR://, Phar://, etc...

8.1CVSS0.00555EPSS
Exploits0References4
CVE
CVE
added 2026/06/19 5:3 p.m.18 views

CVE-2026-49286

CVE-2026-49286 - PhpWeasyPrint : The library (prior to 2.6.0) guards the output filename against the phar:// stream wrapper with a case-sensitive blacklist. Because PHP stream wrappers are case-insensitive, inputs like PHAR://, Phar:// bypass the check and reach fileExists() in prepareOutput(), a...

8.1CVSS6.2AI score0.00555EPSS
Exploits0References4
Circl
Circl
added 2026/06/19 12:24 p.m.9 views

CVE-2026-11941

creationtimestamp| type| source ---|---|--- 2026-06-19 12:24:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mondj7rhaa2q 2026-06-20 11:40:05+00:00| seen| https://bsky.app/profile/cybersecinsight.bsky.social/post/3moprjhbain2s 2026-06-21 20:11:16+00:00| seen|...

5.6CVSS5.8AI score0.0017EPSS
Exploits0References3
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.13 views

Astra Linux – Vulnerability in Tomcat9

Improper handling of the case sensitivity vulnerability in Apache Tomcat’s GCI servlet allows bypassing security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through...

7.3CVSS7.2AI score0.02736EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: gpiolib: A memory leak was fixed in gpiochipsetupdev. Here is a backtrace report regarding the memory leak detected in gpiochipsetupdev: Unreferenced object: 0xffff88810b406400 size 512 - Source: comm "python3", pid 1682, jiffies...

5.5CVSS6.2AI score0.00245EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.2 views

Astra Linux – Vulnerability in Git

Git is an open-source distributed revision control system. In affected versions of Git, a specially crafted repository containing symbolic links and files processed by clean/smudge filters like Git LFS may cause a just-checked-out script to be executed when cloning to a case-insensitive file syst...

8CVSS7AI score0.88644EPSS
Exploits5References2
Circl
Circl
added 2026/06/19 1:6 a.m.5 views

GCVE-2342-2026-1

creationtimestamp| type| source ---|---|--- 2026-06-19 01:06:38+00:00| seen| https://bsky.app/profile/shiojiri.com/post/3mom5lxuqbkg5...

5AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.15 views

PT-2026-51120

Name of the Vulnerable Software and Affected Versions Python Liquid versions prior to 2.2.1 Description A denial of service issue exists where the engine hangs in an infinite loop during parse time. This occurs when a malformed % case % tag is used without an associated % when % or % else % block...

7.1CVSS6AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.29 views

PT-2026-51066

Summary jupyterlab-git 0.53.0 latest, 2026-04-30 uses fnmatch.fnmatchcase in GitHandler.prepare jupyterlab git/handlers.py:91 to enforce the admin-configured excluded paths security control. Because fnmatchcase is unconditionally case-sensitive, an authenticated user on a case-insensitive...

7.1CVSS6AI score0.00285EPSS
Exploits0References6
OSV
OSV
added 2026/06/18 3:5 p.m.4 views

GHSA-CF98-J28V-49V6 OpenFGA Improper Policy Enforcement

Description In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response. Preconditions This applies if the following preconditions are met: 1. You run OpenFGA with MySQL as the datastore 2. Your authorization decisions rely on case-sensitive use...

2.1CVSS5.4AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.13 views

OpenFGA Improper Policy Enforcement

Description In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response. Preconditions This applies if the following preconditions are met: 1. You run OpenFGA with MySQL as the datastore 2. Your authorization decisions rely on case-sensitive use...

2.1CVSS5.3AI score
Exploits0References2Affected Software1
Circl
Circl
added 2026/06/17 6:27 p.m.12 views

CVE-2026-32652

creationtimestamp| type| source ---|---|--- 2026-06-17 18:27:53+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3moiwvvb3cm2j...

7.8CVSS4.9AI score0.00098EPSS
Exploits0References1
Circl
Circl
added 2026/06/17 5:23 p.m.16 views

CVE-2026-32804

creationtimestamp| type| source ---|---|--- 2026-06-17 17:23:17+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3moitcf5f5w2f...

8.1CVSS4.9AI score0.00216EPSS
Exploits0References1
Circl
Circl
added 2026/06/17 2:13 a.m.9 views

CVE-2026-32967

creationtimestamp| type| source ---|---|--- 2026-06-17 02:13:06+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mohagpnqt42x 2026-06-18 14:37:06+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mol2i4sfak24 2026-06-22 00:31:22+00:00| seen|...

9.1CVSS5.8AI score0.00337EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.13 views

PT-2026-50546

Impact In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user: - Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has...

6.5CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.11 views

PT-2026-50475

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description When NC SECURE ATTACHMENTS is set to true, an authenticated uploader can upload .html or .svg attachments that the browser renders inline from the NocoDB origin instead of forcing a download. This...

5.1CVSS5.7AI score0.00288EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/16 11:41 p.m.9 views

Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw

Summary Two related issues in the token public-only scope enforcement introduced by PR 32204 CVE-2025-68941 fix. A public-only scoped API token can access private organization data. Issue 1: /user/orgs missing checkTokenPublicOnly routers/api/v1/api.go line 1599: go m.Get"/user/orgs", reqToken,...

5.3CVSS7.6AI score0.00271EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder