Lucene search
K

9 matches found

Cvelist
Cvelist
added 2026/06/22 4:10 p.m.30 views

CVE-2026-53571 Vite: `server.fs.deny` bypass on Windows alternate paths

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...

8.2CVSS0.00393EPSS
Exploits1References1
CVE
CVE
added 2026/06/22 4:10 p.m.173 views

CVE-2026-53571

CVE-2026-53571 affects the Vite dev server. On Windows, the denial mechanism implemented by the option server.fs.deny fails to normalize NTFS ADS path forms before access checks, allowing bypasses such as /.env::$DATA?raw and access via 8.3 short-name tricks. This can enable exposure of sensitive...

8.2CVSS5.9AI score0.00393EPSS
Exploits1References1Affected Software2
EUVD
EUVD
added 2026/03/10 7:1 p.m.5 views

EUVD-2026-10799

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating eac...

7.5CVSS5.8AI score0.00293EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.7 views

PT-2026-24626

Summary The Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated...

7.5CVSS5.8AI score
Exploits0References3
Cvelist
Cvelist
added 2026/02/06 5:53 p.m.29 views

CVE-2026-25724 Claude Code Has Permission Deny Bypass Through Symbolic Links

Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file such as /etc/passwd and Claude Code had access to a...

2.3CVSS0.00376EPSS
Exploits0References1
Snyk
Snyk
added 2025/04/30 5:40 p.m.4 views

Directory Traversal

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal through the server.fs.deny configuration due to improper input sanitization. An attacker can bypass server.fs.deny with /. for files under project root...

6.5CVSS7.7AI score0.01077EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2025/04/05 6:35 p.m.49 views

CVE-2025-31486

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...

5.3CVSS7.2AI score0.38685EPSS
Exploits7References6
OSV
OSV
added 2024/01/19 9:58 p.m.4 views

GHSA-C24V-8RFC-W8VW Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...

7.5CVSS7AI score0.03152EPSS
Exploits2References9
Veracode
Veracode
added 2021/07/19 5:16 a.m.32 views

Privilege Escalation

github.com/hashicorp/consul is vulnerable to privilege escalation. The vulnerability exists due to a single L7 deny intention bypassing the default deny policy...

7.5CVSS3.3AI score0.0174EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder