CVE-2026-9658

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost:...

Directory Traversal

SiYuan is vulnerable to Directory Traversal. The vulnerability is due to improper validation of file paths in the /export endpoint, which allows an attacker to use double-encoded traversal sequences to read arbitrary files and obtain sensitive information...

EUVD-2025-209429

Vtiger CRM 8.4.0 contains a reflected cross-site scripting XSS vulnerability in the MailManager module. Improper handling of user-controlled input in the folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s...

CVE-2025-70936

Vtiger CRM 8.4.0 contains a reflected cross-site scripting XSS vulnerability in the MailManager module. Improper handling of user-controlled input in the folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s...

SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage

Summary A path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double‑encoded traversal sequences, an attacker can access sensitive files such as conf/conf.json, which contains secrets including the API token,...

CVE-2020-36973

PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path...

CVE-2020-36973

PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path...

EUVD-2020-30880

PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path...

OPENSUSE-SU-2025:20021-1 Security update for MozillaThunderbird

This update for MozillaThunderbird fixes the following issues: Changes in MozillaThunderbird: Mozilla Thunderbird 140.3.0 ESR: Right-clicking 'List-ID' - 'Unsubscribe' created double encoded draft subject Thunderbird could crash on startup Thunderbird could crash when importing mail Opening Websi...

EUVD-2022-4034

Malicious code in bioql PyPI...

CVE-2020-15840

In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.paths.regexp' can be bypassed with doubled encoded URLs...

CVE-2024-28344

An Open Redirect vulnerability was found in Sipwise C5 NGCP Dashboard below mr11.5.1. The Open Redirect vulnerability allows attackers to control the "back" parameter in the URL through a double encoded URL...

CVE-2024-28344

An Open Redirect vulnerability was found in Sipwise C5 NGCP Dashboard below mr11.5.1. The Open Redirect vulnerability allows attackers to control the "back" parameter in the URL through a double encoded URL...

CVE-2024-28344

An Open Redirect vulnerability was found in Sipwise C5 NGCP Dashboard below mr11.5.1. The Open Redirect vulnerability allows attackers to control the "back" parameter in the URL through a double encoded URL...

Directory Traversal

Overview mongrel is an A small fast HTTP library and server that runs Rails, Camping, Nitro and Iowa apps. Affected versions of this package are vulnerable to Directory Traversal via the DirHandler function in lib/mongrel/handlers.rb. An attacker can read arbitrary files by sending an HTTP reques...

CVE-2023-38745

Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of...

CVE-2023-38745

Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of...

CVE-2023-38745

Pandoc-era vulnerability set affects Pandoc up to 3.1.6. CVE-2023-38745: before 3.1.6, an arbitrary file write is possible when processing crafted image elements with --extract-media or PDF output, depending on process privileges. Root cause ties to an incomplete/adjusted handling of paths and do...

SUSE CVE-2007-1860

modjk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. dot dot sequences and...

SUSE CVE-2011-3848

Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request CSR to arbitrary locations via 1 a double-encoded key parameter in the URI in 2.7.x, 2 the CN in the Subject of a CSR in 2.6 and 0.25...