4633 matches found
jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories
Summary jupyterlab-git 0.53.0 latest, 2026-04-30 uses fnmatch.fnmatchcase in GitHandler.prepare jupyterlabgit/handlers.py:91 to enforce the admin-configured excludedpaths security control. Because fnmatchcase is unconditionally case-sensitive, an authenticated user on a case-insensitive filesyste...
CVE-2026-49336 @microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter
@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, @microsoft/kiota-http-fetchlibrary's RedirectHandler is documented as stripping Authorization and Cookie from cross-origin redirect targets, bu...
CVE-2026-49336
The CVE concerns @microsoft/kiota-http-fetchlibrary (TypeScript) in versions 1.0.0-preview.97–1.0.0-preview.101, where RedirectHandler’s scrubSensitiveHeaders uses case-sensitive deletion (delete headers.Authorization, delete headers.Cookie) on a headers object already lower-cased by FetchRequest...
CVE-2026-49286
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so PHAR://, Phar://, etc...
CVE-2026-49286
CVE-2026-49286 - PhpWeasyPrint : The library (prior to 2.6.0) guards the output filename against the phar:// stream wrapper with a case-sensitive blacklist. Because PHP stream wrappers are case-insensitive, inputs like PHAR://, Phar:// bypass the check and reach fileExists() in prepareOutput(), a...
CVE-2026-11941
creationtimestamp| type| source ---|---|--- 2026-06-19 12:24:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mondj7rhaa2q 2026-06-20 11:40:05+00:00| seen| https://bsky.app/profile/cybersecinsight.bsky.social/post/3moprjhbain2s 2026-06-21 20:11:16+00:00| seen|...
Astra Linux – Vulnerability in Tomcat9
Improper handling of the case sensitivity vulnerability in Apache Tomcat’s GCI servlet allows bypassing security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through...
Astra Linux – Vulnerability in Linux 5.15
In the Linux kernel, the following vulnerability has been resolved: gpiolib: A memory leak was fixed in gpiochipsetupdev. Here is a backtrace report regarding the memory leak detected in gpiochipsetupdev: Unreferenced object: 0xffff88810b406400 size 512 - Source: comm "python3", pid 1682, jiffies...
Astra Linux – Vulnerability in Git
Git is an open-source distributed revision control system. In affected versions of Git, a specially crafted repository containing symbolic links and files processed by clean/smudge filters like Git LFS may cause a just-checked-out script to be executed when cloning to a case-insensitive file syst...
GCVE-2342-2026-1
creationtimestamp| type| source ---|---|--- 2026-06-19 01:06:38+00:00| seen| https://bsky.app/profile/shiojiri.com/post/3mom5lxuqbkg5...
PT-2026-51120
Name of the Vulnerable Software and Affected Versions Python Liquid versions prior to 2.2.1 Description A denial of service issue exists where the engine hangs in an infinite loop during parse time. This occurs when a malformed % case % tag is used without an associated % when % or % else % block...
PT-2026-51066
Summary jupyterlab-git 0.53.0 latest, 2026-04-30 uses fnmatch.fnmatchcase in GitHandler.prepare jupyterlab git/handlers.py:91 to enforce the admin-configured excluded paths security control. Because fnmatchcase is unconditionally case-sensitive, an authenticated user on a case-insensitive...
GHSA-CF98-J28V-49V6 OpenFGA Improper Policy Enforcement
Description In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response. Preconditions This applies if the following preconditions are met: 1. You run OpenFGA with MySQL as the datastore 2. Your authorization decisions rely on case-sensitive use...
OpenFGA Improper Policy Enforcement
Description In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response. Preconditions This applies if the following preconditions are met: 1. You run OpenFGA with MySQL as the datastore 2. Your authorization decisions rely on case-sensitive use...
CVE-2026-32652
creationtimestamp| type| source ---|---|--- 2026-06-17 18:27:53+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3moiwvvb3cm2j...
CVE-2026-32804
creationtimestamp| type| source ---|---|--- 2026-06-17 17:23:17+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3moitcf5f5w2f...
CVE-2026-32967
creationtimestamp| type| source ---|---|--- 2026-06-17 02:13:06+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mohagpnqt42x 2026-06-18 14:37:06+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mol2i4sfak24 2026-06-22 00:31:22+00:00| seen|...
PT-2026-50546
Impact In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user: - Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has...
PT-2026-50475
Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description When NC SECURE ATTACHMENTS is set to true, an authenticated uploader can upload .html or .svg attachments that the browser renders inline from the NocoDB origin instead of forcing a download. This...
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
Summary Two related issues in the token public-only scope enforcement introduced by PR 32204 CVE-2025-68941 fix. A public-only scoped API token can access private organization data. Issue 1: /user/orgs missing checkTokenPublicOnly routers/api/v1/api.go line 1599: go m.Get"/user/orgs", reqToken,...