Lucene search
+L

115 matches found

rubygems
rubygems
added 2026/04/02 12:0 a.m.10 views

Rack:: Static header_rules bypass via URL-encoded paths

Summary Rack::Staticapplicablerules evaluates several headerrules types against the raw URL-encoded PATHINFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers...

5.3CVSS5.8AI score0.00195EPSS
Exploits0References1Affected Software1
snyk
snyk
added 2026/03/13 6:55 p.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through a discrepancy in path normalization between protocol handlers and internal routing. An attacker can bypass folder-level permissions or escape the boundaries of a configured virtual folder by crafting specific...

8.1CVSS6.3AI score0.00521EPSS
Exploits0References2
snyk
snyk
added 2026/03/06 9:3 p.m.3 views

Directory Traversal

Overview std/os is a Go standard library package std/os Affected versions of this package are vulnerable to Directory Traversal. Go Vulnerability Report:On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file...

4.8CVSS6.2AI score0.00201EPSS
Exploits0References3
cvelist
cvelist
added 2026/03/06 5:3 p.m.33 views

CVE-2026-29087 @hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed...

7.5CVSS0.00327EPSS
Exploits0References2
snyk
snyk
added 2026/03/02 10:19 p.m.5 views

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the static file serving API. An attacker can access files outside the intended directory by placing symbolic links within the root directory and requesting those...

5.5CVSS6.5AI score0.00131EPSS
Exploits0References2
vulnrichment
vulnrichment
added 2026/02/21 5:15 a.m.8 views

CVE-2026-27199 Werkzeug safe_join() allows Windows special device names

Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safejoin function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that...

6.3CVSS5.2AI score0.00556EPSS
Exploits1References3
github
github
added 2026/02/19 8:32 p.m.9 views

Werkzeug safe_join() allows Windows special device names

Werkzeug's safejoin function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safejoin accepts...

6.3CVSS5.5AI score0.00556EPSS
Exploits1References5Affected Software1
github
github
added 2026/01/28 9:41 p.m.21 views

NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

Summary A stored Cross-site Scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because...

9.4CVSS5.9AI score0.00385EPSS
Exploits1References3Affected Software1
osv
osv
added 2025/11/29 2:28 a.m.11 views

CVE-2025-66221 Werkzeug safe_join() allows Windows special device names

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safejoin function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory...

6.3CVSS6.7AI score0.00474EPSS
Exploits0References5
snyk
snyk
added 2025/11/20 2:41 a.m.5 views

Directory Traversal

Overview cn.dreampie:resty-httpclient is a Resty java httpClient Affected versions of this package are vulnerable to Directory Traversal via the Request function. An attacker can access or modify files outside the intended directory by supplying crafted input to the filename argument. Details A...

8.1CVSS7.5AI score0.00658EPSS
Exploits1References2
cvelist
cvelist
added 2025/11/19 4:20 p.m.15 views

CVE-2025-34337 eGovFramework <= 4.3.1 Unauthenticated Encryption Oracle via Web Editor Image Upload Endpoints

eGovFramework/egovframe-common-components versions up to and including 4.3.1 includes Web Editor image upload and related file delivery functionality that uses symmetric encryption to protect URL parameters, but exposes an encryption oracle that allows attackers to generate valid ciphertext for...

8.7CVSS0.00256EPSS
Exploits1References5
euvd
euvd
added 2025/10/07 12:30 a.m.4 views

EUVD-2020-0621

Malware in sbrugna...

7.5CVSS7.6AI score0.01933EPSS
Exploits0References6
euvd
euvd
added 2025/10/07 12:30 a.m.8 views

EUVD-2006-6620

Malware in sbrugna...

5CVSS6.4AI score0.0256EPSS
Exploits0References10
euvd
euvd
added 2025/10/07 12:30 a.m.6 views

EUVD-2006-3228

Malware in sbrugna...

4.3CVSS6.4AI score0.02083EPSS
Exploits0References10
euvd
euvd
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-0375

Malware in sbrugna...

6.1CVSS6.2AI score0.00879EPSS
Exploits1References5
euvd
euvd
added 2025/10/07 12:30 a.m.4 views

EUVD-2016-2332

Malware in sbrugna...

5.9CVSS6.5AI score0.02867EPSS
Exploits0References10
euvd
euvd
added 2025/10/03 8:7 p.m.5 views

EUVD-2023-2954

Malicious code in bioql PyPI...

5.3CVSS5.4AI score0.00294EPSS
Exploits0References6
euvd
euvd
added 2025/10/03 8:7 p.m.3 views

EUVD-2024-1511

Malicious code in bioql PyPI...

8.2CVSS8AI score0.00722EPSS
Exploits0References6
cve
cve
added 2025/09/10 6:49 p.m.26 views

CVE-2025-59049

Mockoon before 9.2.0 is affected by a Path Traversal and Local File Inclusion (LFI) in the static file serving endpoint. The issue stems from unsafe templating of the server filename using user input, enabling an attacker to read arbitrary files from the mock server filesystem. A fix is available...

7.5CVSS6.3AI score0.0166EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2025/09/10 6:49 p.m.3 views

CVE-2025-59049 Mockoon has a Path Traversal and LFI in the static file serving endpoint

Mockoon provides way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented in the documentation page, where the server filename is generated via templating features from user input is vulnerable to Path Traversal...

7.5CVSS6.3AI score0.0166EPSS
Exploits0References4
Rows per page
Query Builder