HTTP Request Smuggling

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Request Smuggling via the app.mount function. An attacker can access unintended routes or resources by sending requests with percent-encoded multi-byte characters in the URL path,...

PT-2026-44416

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.21 Description In the app.mount function, the mount prefix is stripped from the incoming request path using the raw URL pathname, whereas route matching is conducted against the percent-decoded path. This...

Dapr: Service Invocation path traversal ACL bypass

Summary A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path...

GHSA-85GX-3QV6-4463 Dapr: Service Invocation path traversal ACL bypass

Summary A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path...

PT-2026-37119

Name of the Vulnerable Software and Affected Versions Dapr versions 1.3.0 through 1.15.13 Dapr versions 1.16.0-rc.1 through 1.16.13 Dapr versions 1.17.0-rc.1 through 1.17.4 Description An issue exists in the way access control policies for service invocation are handled. The Access Control List A...

CVE-2026-34523 SillyTavern: Path traversal allows file existence oracle

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in the static file route handler allows any unauthenticate...

CVE-2025-66490

CVE-2025-66490 affects Traefik, where versions prior to 2.11.32 and 2.11.31–3.6.2 could bypass path normalization when using PathPrefix, Path, or PathRegex matchers. Under path-based routing, requests containing URL-encoded restricted characters (/, , Null, ;, ?, #) may bypass the middleware chai...

CVE-2025-66490

Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters /, , Null,...

CVE-2025-66490 Traefik doesn't Prevent Path Normalization Bypass in Router + Middleware Rules

Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters /, , Null,...

CVE-2025-66490 Traefik doesn't Prevent Path Normalization Bypass in Router + Middleware Rules

Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters /, , Null,...

Interpretation Conflict

Overview Affected versions of this package are vulnerable to Interpretation Conflict in path matching. An attacker can gain unauthorized access to restricted endpoints by sending requests with URL-encoded restricted characters in the path, which bypasses middleware and security controls...

Interpretation Conflict

Overview Affected versions of this package are vulnerable to Interpretation Conflict in path matching. An attacker can gain unauthorized access to restricted endpoints by sending requests with URL-encoded restricted characters in the path, which bypasses middleware and security controls...

Interpretation Conflict

Overview github.com/traefik/traefik/v2/pkg/server is a server package for traefik, a cloud native edge router. Affected versions of this package are vulnerable to Interpretation Conflict in path matching. An attacker can gain unauthorized access to restricted endpoints by sending requests with...

GHSA-GM3X-23WP-HC2C Path Normalization Bypass in Traefik Router + Middleware Rules

Impact There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the followin...

traefik -- Bypassing security controls via special characters

The traefik project reports: There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted...

EUVD-2018-0733

Malware in sbrugna...

EUVD-2002-0006

Malware in sbrugna...

EUVD-2005-0832

Malware in sbrugna...

EUVD-2005-3364

Malware in sbrugna...

CVE-2025-27553

A flaw was found in Apache Commons VFS. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains...