Lucene search
K

35 matches found

CVE
CVE
added 2026/06/23 5:50 p.m.17 views

CVE-2026-52844

CVE-2026-52844 describes a Windows-specific path handling bug in Caddy prior to 2.11.4 where path matchers do not normalize backslashes, causing a request like /private%5csecret.txt to bypass path-scoped auth and reach the protected file, e.g., /private/*, through file_server. The issue is exploi...

7.5CVSS5.9AI score0.00409EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/06/23 5:50 p.m.1 views

CVE-2026-52844 Caddy: Windows `file_server` path authorization bypass via encoded backslash

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/, but fileserver later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy...

7.5CVSS6AI score0.00409EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/06/22 6:22 p.m.62 views

CVE-2026-53779 WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows

WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMGPATH directory by sending requests with percent-encoded backslashes %5C that bypass the path.Clean sanitization in handler/router.go...

8.7CVSS0.00408EPSS
Exploits0References3
NVD
NVD
added 2026/06/22 6:16 p.m.15 views

CVE-2026-54286

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as...

5.9CVSS0.00292EPSS
Exploits0References1
OSV
OSV
added 2026/06/22 5:14 p.m.2 views

CVE-2026-54286 Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as...

5.9CVSS5.9AI score0.00292EPSS
Exploits0References3
CVE
CVE
added 2026/06/22 5:14 p.m.32 views

CVE-2026-54286

CVE-2026-54286 concerns Hono’s path traversal in the Windows environment via encoded backslash (%5C) in the request path. A prior issue (pre-4.12.25) causes %5C to decode to a backslash, which Windows path resolution treats as a separator, allowing a crafted URL segment (e.g., admin\secret.txt) t...

5.9CVSS5.8AI score0.00292EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 5:14 p.m.37 views

CVE-2026-54286 Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as...

5.9CVSS0.00292EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 5:14 p.m.7 views

CVE-2026-54286

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as...

5.9CVSS5.8AI score0.00292EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/16 9:28 p.m.7 views

GHSA-QRP7-CVWR-J2C6 Caddy: Windows `file_server` path authorization bypass via encoded backslash

Summary On Windows, Caddy path matchers treat /private\secret.txt as outside /private/, but fileserver later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can request /private%5csecret.txt and bypass Caddy path-scoped auth/deny routes protecting...

7.5CVSS5.4AI score0.00409EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/16 9:28 p.m.15 views

Caddy: Windows `file_server` path authorization bypass via encoded backslash

Summary On Windows, Caddy path matchers treat /private\secret.txt as outside /private/, but fileserver later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can request /private%5csecret.txt and bypass Caddy path-scoped auth/deny routes protecting...

8.2CVSS5.3AI score0.00409EPSS
Exploits2References2Affected Software2
Patchstack
Patchstack
added 2026/06/16 2:9 p.m.6 views

NPM: hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

NPM: hono: Path traversal in serve-static on Windows via encoded backslash %5C vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...

5.9CVSS5.8AI score0.00292EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/16 2:9 p.m.12 views

Directory Traversal

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serve-static method on Windows hosts when an encoded backslash %5C in the request path is decoded to , which is treated as a separator by the Windows path...

8.7CVSS6.5AI score0.00292EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/16 2:9 p.m.18 views

hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

Summary On Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static file...

5.9CVSS5.2AI score0.00292EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.14 views

PT-2026-49733

Name of the Vulnerable Software and Affected Versions serve-static affected versions not specified Description On Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. Because the router splits paths only on /, a request su...

5.9CVSS5.8AI score0.00292EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.15 views

PT-2026-49066

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.63.6 Description An issue exists where the software fails to properly normalize file paths when creating zip or tar archives on Linux hosts. Specifically, the getFiles function uses filepath.ToSlash, which does...

6.8CVSS6AI score0.00189EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2004-2619

Malware in sbrugna...

5CVSS6.4AI score0.03623EPSS
Exploits1References8
VulnCheck KEV
VulnCheck KEV
added 2025/01/13 12:0 a.m.4 views

VulnCheck KEV: CVE-2023-31059

Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php...

7.5CVSS5.8AI score0.05574EPSS
Exploits2References1
OSV
OSV
added 2023/04/24 3:15 a.m.6 views

CVE-2023-31059

Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php...

7.5CVSS7.2AI score0.05574EPSS
Exploits2References2
OSV
OSV
added 2022/05/01 5:44 p.m.45 views

GHSA-4PRH-GQW8-RGH5 Apache Tomcat Directory Traversal

Directory traversal vulnerability in Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules modproxy, modrewrite, modjk, allows remote attackers to read arbitrary files via a .. dot dot sequence with combinations of 1 / slash, 2 \ backslash, and 3 URL-encoded backslash %...

5CVSS6.2AI score0.90768EPSS
Exploits2References34
seebug.org
seebug.org
added 2014/07/01 12:0 a.m.39 views

Abyss Web Server 1.0 Encoded Backslash Directory Traversal Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/5547/info A directory traversal vulnerability has been reported for Abyss Web Server. The issue is related to the failure to properly process the backslash '', encoded as '%5c', character, which may be used as a directory...

7.1AI score
Exploits0
Rows per page
Query Builder