CVE-2026-8100

CVE-2026-8100 affects Chef 360. The issue arises from improper handling of URL-encoded paths during request processing, allowing an authenticated request to bypass standard access controls and access higher-privilege API endpoints under certain conditions. Impact is deployment/configuration depen...

Path Equivalence

Overview Affected versions of this package are vulnerable to Path Equivalence in the pathWithoutMatrixParams of AbstractPathMatchingHttpSecurityPolicy via specially crafted HTTP requests containing encoded semicolons, slashes, or backslashes in the request path. An attacker can gain unauthorized...

PT-2026-49738

Name of the Vulnerable Software and Affected Versions NLTK versions prior to 3.10.0-rc1 Description The nltk.data.load function is subject to path traversal when using the nltk: URL scheme. The issue arises because the UNSAFE NO PROTOCOL RE regex check is performed on the raw resource string befo...

CVE-2026-44373

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...

CVE-2026-44437

The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly...

GHSA-2GCR-MFCQ-WCC3 Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Summary app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte...

CVE-2026-32847

DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in newui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /fullpath:path endpoint. Attackers can bypass Starlette's...

PT-2026-44488

Name of the Vulnerable Software and Affected Versions DeepCode versions prior to commit c991dc2 Description A path traversal issue exists in the SPA catch-all route within new ui/backend/main.py. Unauthenticated attackers can read arbitrary files by providing percent-encoded path segments to the...

Altium Enterprise Server 路径遍历漏洞

Altium Enterprise Server is a localization data management server developed by Altium Corporation in the United States. Altium Enterprise Server has a path traversal vulnerability, which stems from improper handling of path file routing parameters. This vulnerability could allow authenticated use...

CVE-2026-44373 Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...

NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`

NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in routeRules vulnerability discovered by ? in WordPress Npm nitropack versions 2.13.4...

CVE-2026-6321

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize and equal functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications...

Astra Linux – Vulnerability in Jetty9

For Eclipse Jetty versions = 9.4.40, = 10.0.2, and = 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example, a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can revea...

CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

CVE-2026-6414

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

PT-2026-33313

Name of the Vulnerable Software and Affected Versions @fastify/static versions 8.0.0 through 9.1.0 Description @fastify/static decodes percent-encoded path separators '%2F' before filesystem resolution, whereas the Fastify router treats them as literal characters. This discrepancy allows for a...

SUSE CVE-2026-34786

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Staticapplicablerules evaluates several headerrules types against the raw URL-encoded PATHINFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a...

CVE-2026-34786

A flaw was found in Rack. A remote attacker can exploit this vulnerability by sending a specially crafted request with a URL-encoded static path. This bypasses security-relevant response headers intended for static content, potentially leading to information disclosure or other unintended...

Rack has Content-Length mismatch in Rack::Files error responses

Summary Rack::Filesfail sets the Content-Length response header using Stringsize instead of Stringbytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the...