107 matches found
Vite Dev Server - Information Exposure
Vite dev server could allow reading files from the Vite project root by bypassing server.fs.deny with double forward-slash paths //. This affects exposed dev servers only. id: CVE-2023-34092 info: name: Vite Dev Server - Information Exposure author: ritikchaddha severity: high description: | Vite...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect when certain URLs with path values starting with // are processed. An attacker can redirect users to external domains by supplying specially crafted protocol-relative URLs. Note: Users that utilise Declarative Mode are not...
CVE-2026-40181
Summary: CVE-2026-40181 affects React Router. In versions 7.0.0–7.14.0 and 6.7.0–6.30.3, redirect() can produce an open redirect to an external domain when the URL starts with //, due to protocol-relative URL handling. Impact depends on application-side redirect validation and does not affect Dec...
CVE-2026-40332
Masa CMS is affected by an Open Redirect vulnerability due to improper handling of scheme-relative URLs. The application incorrectly interprets paths beginning with double slashes // as internal paths, failing to validate the redirect target before processing. The application treats these values ...
CVE-2026-40332
Masa CMS is affected by an Open Redirect vulnerability caused by improper handling of scheme-relative URLs. The system misinterprets paths beginning with // as internal and processes them without validating that the redirect target stays on the local site. An attacker can craft a link on the trus...
Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Mako vulnerability (USN-8234-1)
The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8234-1 advisory. It was discovered that Mako incorrectly handled URIs with double-slash prefixes in...
Masa CMS 输入验证错误漏洞
Masa CMS is a digital experience platform operated by Masa CMS organization. Masa CMS has a vulnerability related to input validation errors. This vulnerability stems from improper handling of relative URLs, which may allow attackers to redirect victims to sites controlled by external attackers...
USN-8234-1 python-mako vulnerability
It was discovered that Mako incorrectly handled URIs with double-slash prefixes in TemplateLookup. A remote attacker could possibly use this issue to obtain sensitive information...
USN-8234-1: Mako vulnerability
It was discovered that Mako incorrectly handled URIs with double-slash prefixes in TemplateLookup. A remote attacker could possibly use this issue to obtain sensitive information...
PT-2026-38083
Name of the Vulnerable Software and Affected Versions Mako versions prior to 1.1.0+ds1-1ubuntu2.1+esm1 Description Mako incorrectly handles URIs with double-slash prefixes in TemplateLookup. A remote attacker could potentially exploit this behavior to obtain sensitive information. Recommendations...
CVE-2026-41205
A flaw was found in Mako, a Python template library. This vulnerability, known as path traversal, allows an attacker to access files outside of the intended directory. By providing a specially crafted input to the TemplateLookup.gettemplate function, a remote attacker can exploit an inconsistency...
Mako: Path traversal via double-slash URI prefix in TemplateLookup
...
SUSE CVE-2026-41205
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be...
CVE-2026-41205 Mako: Path traversal via double-slash URI prefix in TemplateLookup
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be...
CVE-2026-41205
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be...
CVE-2026-41205 Mako: Path traversal via double-slash URI prefix in TemplateLookup
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be...
CVE-2026-41205
Mako (Python) prior to 1.3.11 is affected by a path traversal vulnerability in TemplateLookup.get_template() when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash‑stripping implementations. If an application passes untrusted input directly t...
Mako: Path traversal via double-slash URI prefix in TemplateLookup
Summary TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations: - Template.init strips one leading / using if/slice - TemplateLookup.gettemplate strips all...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the gettemplate function. An attacker can access arbitrary files readable by the process by supplying a specially crafted URI with a double-slash prefix, which bypasses path normalization checks. Note: This is...
GHSA-V92G-XGXW-VVMM Mako: Path traversal via double-slash URI prefix in TemplateLookup
Summary TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations: - Template.init strips one leading / using if/slice - TemplateLookup.gettemplate strips all...