Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7280 matches found

NVD
NVDadded 2026/03/24 5:16 a.m.11 views

CVE-2026-3260

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap, the server prematurely parses and stores this content to...

7.5CVSS0.00441EPSS
Exploits0References2
UbuntuCve
UbuntuCveadded 2026/03/24 5:16 a.m.4 views

CVE-2026-3260

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap, the server prematurely parses and stores this content to...

7.5CVSS5.9AI score0.00441EPSS
Exploits0References3
OSV
OSVadded 2026/03/24 5:16 a.m.6 views

UBUNTU-CVE-2026-3260

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap, the server prematurely parses and stores this content to...

7.5CVSS5.8AI score0.00441EPSS
Exploits0References4
ATTACKERKB
ATTACKERKBadded 2026/03/24 4:11 a.m.2 views

CVE-2026-3260

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap, the server prematurely parses and stores this content to...

5.9CVSS5.8AI score0.00441EPSS
Exploits0References3
CVE
CVEadded 2026/03/24 4:11 a.m.20 views

CVE-2026-3260

CVE-2026-3260 affects Undertow and enables Denial of Service via premature multipart/form-data parsing when a GET request with multipart/form-data is processed (e.g., via getParameterMap). The issue is caused by content being parsed and stored to disk during parameter handling, leading to resourc...

7.5CVSS5.8AI score0.00441EPSS
Exploits0References2Affected Software10
Debian CVE
Debian CVEadded 2026/03/24 4:11 a.m.4 views

CVE-2026-3260

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap, the server prematurely parses and stores this content to...

7.5CVSS5.5AI score0.00441EPSS
Exploits0
RedhatCVE
RedhatCVEadded 2026/03/24 4:11 a.m.4 views

CVE-2026-3260

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap, the server prematurely parses and stores this content to...

5.9CVSS5.7AI score0.00441EPSS
Exploits0References3
Snyk
Snykadded 2026/03/24 2:33 a.m.5 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the pathfor function in DiskService. An attacker can read, write, or delete arbitrary files on the server by supplying blob keys containing path traversal sequences like ../. Note: In most cases, blob keys are...

9.8CVSS6.4AI score0.00603EPSS
Exploits0References2
Snyk
Snykadded 2026/03/24 2:33 a.m.1 views

Glob Injection

Overview Affected versions of this package are vulnerable to Glob Injection via the DiskServicedeleteprefixed function. An attacker can delete unintended files from the storage directory by supplying blob keys containing glob metacharacters that are passed unescaped to Dir.glob. Remediation Upgra...

9.1CVSS5.8AI score0.00646EPSS
Exploits0References2
Fedora
Fedoraadded 2026/03/24 1:12 a.m.4 views

[SECURITY] Fedora 42 Update: python-diskcache-5.6.3-12.fc42

DiskCache is an Apache2 licensed disk and file backed cache library, written in pure-Python, and compatible with Django...

9.8CVSS7.1AI score0.00546EPSS
Exploits1
Fedora
Fedoraadded 2026/03/24 12:17 a.m.11 views

[SECURITY] Fedora 44 Update: python-diskcache-5.6.3-12.fc44

DiskCache is an Apache2 licensed disk and file backed cache library, written in pure-Python, and compatible with Django...

9.8CVSS7.1AI score0.00546EPSS
Exploits1
NVD
NVDadded 2026/03/24 12:16 a.m.1 views

CVE-2026-33202

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's DiskServicedeleteprefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled inp...

9.1CVSS0.00646EPSS
Exploits0References7
NVD
NVDadded 2026/03/24 12:16 a.m.3 views

CVE-2026-33195

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's DiskServicepathfor does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path...

9.8CVSS0.00603EPSS
Exploits0References7
UbuntuCve
UbuntuCveadded 2026/03/24 12:16 a.m.2 views

CVE-2026-33202

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's DiskServicedeleteprefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled inp...

9.1CVSS5.8AI score0.00646EPSS
Exploits0References8
Positive Technologies
Positive Technologiesadded 2026/03/24 12:0 a.m.4 views

PT-2026-27322

Name of the Vulnerable Software and Affected Versions Undertow affected versions not specified Description A remote attacker could exploit this issue by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like...

7.5CVSS5.3AI score0.00441EPSS
Exploits1References75
Cvelist
Cvelistadded 2026/03/23 11:34 p.m.24 views

CVE-2026-33202 Rails Active Storage has possible glob injection in its DiskService

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's DiskServicedeleteprefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled inp...

8.7CVSS0.00646EPSS
Exploits0References7
ATTACKERKB
ATTACKERKBadded 2026/03/23 11:34 p.m.1 views

CVE-2026-33202

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's DiskServicedeleteprefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled inp...

8.7CVSS5.8AI score0.00646EPSS
Exploits0References8Affected Software1
Vulnrichment
Vulnrichmentadded 2026/03/23 11:34 p.m.1 views

CVE-2026-33202 Rails Active Storage has possible glob injection in its DiskService

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's DiskServicedeleteprefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled inp...

8.7CVSS5.8AI score0.00646EPSS
Exploits0References7
CVE
CVEadded 2026/03/23 11:34 p.m.11 views

CVE-2026-33202

CVE-2026-33202 (Rails Active Storage) : The DiskService#delete_prefixed path in Active Storage passes blob keys directly to Dir.glob without escaping glob metacharacters. If attacker-controlled blob keys include characters like * or ?, an attacker could delete unintended files in the storage dire...

9.1CVSS5.8AI score0.00646EPSS
Exploits0References7Affected Software1
OSV
OSVadded 2026/03/23 11:34 p.m.2 views

CVE-2026-33202 Rails Active Storage has possible glob injection in its DiskService

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's DiskServicedeleteprefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled inp...

8.7CVSS5.8AI score0.00646EPSS
Exploits0References9
Rows per page
Query Builder