Lucene search
K

403 matches found

Fedora
Fedora
added yesterday6 views

[SECURITY] Fedora 44 Update: python-idna-3.18-1.fc44

A library to support the Internationalised Domain Names in Applications IDNA protocol as specified in RFC 5891 . This version of the protocol is often referred to as "IDNA2008" and can produce different results from the earlier standard from 2003. The library is also intended to act as a suitable...

6.9CVSS6.5AI score0.00408EPSS
Exploits0
OSV
OSV
added 2026/07/06 8:16 p.m.4 views

DEBIAN-CVE-2026-58404

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

6.8CVSS5.8AI score0.00208EPSS
Exploits0References1
NVD
NVD
added 2026/07/06 8:16 p.m.8 views

CVE-2026-58404

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

6.8CVSS0.00208EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/06 7:51 p.m.7 views

EUVD-2026-24978

comm: lossy UTF-8 conversion silently corrupts non-UTF-8 output...

3.3CVSS5.9AI score0.00176EPSS
Exploits1References6
OSV
OSV
added 2026/07/06 7:16 p.m.4 views

CVE-2026-58404 Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

4.6CVSS5.8AI score0.00208EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/07/06 7:16 p.m.5 views

CVE-2026-58404

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

4.6CVSS5.8AI score0.00208EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/07/06 7:16 p.m.37 views

CVE-2026-58404 Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...

4.6CVSS0.00208EPSS
Exploits0References4
CVE
CVE
added 2026/07/06 7:16 p.m.10 views

CVE-2026-58404

Hugo: From v0.162.0 to v0.163.0, the default security.http.urls policy blocked loopback/internal/cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation. Consequently, alternate IPv4 encodings (integer, hex, octal) could resolve to blocked addresses when a template pa...

6.8CVSS5.8AI score0.00208EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/07/01 12:16 p.m.8 views

CVE-2026-14181

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder t...

7.5CVSS0.00291EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.10 views

PT-2026-54638

Name of the Vulnerable Software and Affected Versions @fastify/middie versions 9.1.0 through 9.3.2 Description An issue exists in the standalone engine's URL normalization and decoding process where malformed percent-encoded sequences in incoming request paths are not properly guarded...

7.5CVSS5.8AI score0.00291EPSS
Exploits0References9
OSV
OSV
added 2026/06/19 7:18 p.m.11 views

GHSA-R46F-3RPW-HXRV Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF)

Impact The default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals e.g. http://127.0.0.1/, http://169.254.169.254/. The deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses — integer, hex, or octal, whi...

7.7CVSS5.9AI score0.00208EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 7:18 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the resources.GetRemote process while the host platform uses the cgo system resolver. When alternate IPv4 encodings are used in URLs, such as integer, hexadecimal, or octal representations, which bypa...

8.6CVSS5.9AI score0.00208EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 7:18 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the resources.GetRemote process while the host platform uses the cgo system resolver. When alternate IPv4 encodings are used in URLs, such as integer, hexadecimal, or octal representations, which bypa...

8.6CVSS5.9AI score0.00208EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.9 views

PT-2026-55981

Name of the Vulnerable Software and Affected Versions Hugo versions 0.162.0 through 0.163.0 Description The default security.http.urls policy fails to properly block requests to loopback, internal, and cloud-metadata IPv4 literals because the deny rule only matches dotted-decimal notation...

7.7CVSS6.1AI score0.00208EPSS
Exploits0References14
RedhatCVE
RedhatCVE
added 2026/06/05 7:31 p.m.10 views

CVE-2025-8095

The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. OECH1 encodings should be considered exploitable and immediately replaced by any other supporte...

10CVSS5.4AI score0.00216EPSS
Exploits0References1
OSV
OSV
added 2026/06/02 11:16 p.m.12 views

UBUNTU-CVE-2026-42504

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU...

7.5CVSS5.2AI score0.0056EPSS
Exploits0References5
OSV
OSV
added 2026/05/29 10:27 p.m.7 views

GHSA-5C6W-WWFQ-7QQM PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings

Summary PraisonAI's spidertools URL validation can be bypassed using alternate loopback host encodings. The affected component is: text praisonaiagents/tools/spidertools.py The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled...

5.5CVSS6.2AI score0.00014EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/29 10:27 p.m.29 views

PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings

Summary PraisonAI's spidertools URL validation can be bypassed using alternate loopback host encodings. The affected component is: text praisonaiagents/tools/spidertools.py The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled...

6.2AI score0.00014EPSS
Exploits0References2Affected Software2
SUSE CVE
SUSE CVE
added 2026/05/29 1:20 a.m.14 views

SUSE CVE-2026-44378

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which...

6.9CVSS5.8AI score0.00324EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.11 views

PT-2026-45049

Summary PraisonAI's spider tools URL validation can be bypassed using alternate loopback host encodings. The affected component is: text praisonaiagents/tools/spider tools.py The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled...

5.5CVSS6.2AI score0.00014EPSS
Exploits0References3
Rows per page
Query Builder