37 matches found
CVE-2026-33637
A flaw was found in Faraday, an HTTP client library. This vulnerability allows a remote attacker to perform off-host request forgery by exploiting a protocol-relative host override when a request target is passed as a URI object. This can redirect a request from a fixed-base Faraday connection to...
SUSE CVE-2026-33637
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...
Astra Linux - уязвимость в firefox, thunderbird
Relative URLs that start with three slashes were incorrectly parsed. The “path-traversal” /../ part in the path could be used to override the specified host. This could lead to security issues in websites. This vulnerability affects Firefox 120, Firefox ESR 115.5.0, and Thunderbird 115.5...
DEBIAN-CVE-2026-33637
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...
CVE-2026-33637
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...
CVE-2026-33637
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...
CVE-2026-33637
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...
EUVD-2026-30966
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...
CVE-2026-33637
Faraday (HTTP client library) vulnerability CVE-2026-33637 affects versions 2.0.0–2.14.1, where protocol-relative host override is still possible when the request target is passed as a URI object to Faraday::Connection#build_exclusive_url. This can enable off-host request forgery by redirecting a...
CVE-2026-33637 Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix for GHSA-33mh-2634-fwr2)
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...
GHSA-5RV5-XJ5J-3484 Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping
Summary Faraday::Connectionbuildexclusiveurl still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to ...
CVE-2026-44992 OpenClaw 2026.4.5 through 2026.4.19 - MiniMax API Host Override via Workspace dotenv
OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAXAPIHOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers...
CVE-2026-42434
OpenClaw 2026.4.5 prior to 2026.4.10 has a sandbox-escape vulnerability. Sandboxed agents can override exec routing by specifying host=node, allowing attackers to bypass sandbox boundaries and route execution to remote nodes instead of the intended sandbox paths. Affected software: OpenClaw; vuln...
NPM: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
NPM: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.5, 2026.4.20...
GHSA-736R-JWJ6-4W23 OpenClaw: Sandboxed agents could escape exec routing via host=node override
Summary Sandboxed agents could escape exec routing via host=node override. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.5 = 2026.4.10 Impact A sandboxed agent could request host: "node" and route exec to a remote node instead of the intended...
OpenClaw: Sandboxed agents could escape exec routing via host=node override
Summary Sandboxed agents could escape exec routing via host=node override. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.5 = 2026.4.10 Impact A sandboxed agent could request host: "node" and route exec to a remote node instead of the intended...
CVE-2026-25765 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's buildexclusiveurl method in lib/faraday/connection.rb uses Ruby's URImerge to combine the connection's base URL with a user-supplied path. Per RFC 3986,...
OESA-2025-2591 firefox security update
Security Fixes: Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal /../ part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox 120, Firefox ESR 115.5.0, and...
Mozilla: Incorrect parsing of relative URLs starting with "///"
The Mozilla Foundation Security Advisory describes this flaw as: Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites...
Mozilla: Incorrect parsing of relative URLs starting with "///"
The Mozilla Foundation Security Advisory describes this flaw as: Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites...