Htaccess by BestWebSoft < 1.7.6 - Cross-Site Scripting

The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues. id: CVE-2017-18496 info: name: Htaccess by BestWebSoft 1.7.6 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues. impact: |...

EulerOS Virtualization 2.13.0 : httpd (EulerOS-SA-2026-2170)

According to the versions of the httpd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : Apache HTTP Server 2.4.65 and earlier with Server Side Includes SSI enabled and modcgid but not modcgi passes the shell-escaped quer...

CVE-2025-67886

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged...

CVE-2026-41933

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset path...

CVE-2026-2717

The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via insertwithmarkers. This makes it possible for...

CVE-2026-5364

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file extension before sanitization occurs and allowing the file type parameter to be controlled by the...

CVE-2026-46392

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the saveFile endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the .htaccess rule that forces Content-Disposition: attachment on HTML...

CLSA-2026-1779118869 Fix of 8 CVEs

SECURITY UPDATE: fix off-by-one out-of-bounds read in modproxyajp message getter functions - debian/patches/CVE-2026-33857-prereq.patch: prerequisite fix for ajpmsgcheckheader bounds check to keep msg-len within buffer - debian/patches/CVE-2026-33857.patch: fix off-by-one out-of-bounds read in...

CLSA-2026-1779091399 httpd: Fix of 8 CVEs

CVE-2026-24072: modrewrite/modsetenvif: use APEXPRFLAGRESTRICTED in htaccess to prevent reading server-side files via apexpr from .htaccess - CVE-2026-29169: moddavlock: NULL pointer dereference in davgenericrefreshlocks use dpscan instead of dp - CVE-2026-33006: modauthdigest: timing attack —...

CLSA-2026-1778934210 Fix of 7 CVEs

SECURITY UPDATE: off-by-one OOB read in modproxyajp message getters - debian/patches/CVE-2026-33857.patch: tighten length checks msg-len - = msg-len in ajpmsggetuint8/16/32 and ajpmsgpeekuint8/16 in modules/proxy/ajpmsg.c. - CVE-2026-33857 SECURITY UPDATE: heap over-read in modproxyajp via missin...

CVE-2026-41933

CVE-2026-41933 details : Vvveb (before 1.0.8.3) has a directory listing information disclosure vulnerability enabling unauthenticated attackers to enumerate files and directories by hitting multiple paths without proper index directives in .htaccess. Exposed directories include admin asset paths,...

CVE-2026-41933 Vvveb < 1.0.8.3 Directory Listing Information Disclosure

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset path...

CVE-2026-41933 Vvveb < 1.0.8.3 Directory Listing Information Disclosure

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset path...

CLSA-2026-1778254557 httpd: Fix of 8 CVEs

CVE-2026-24072: modrewrite/modsetenvif: use APEXPRFLAGRESTRICTED in htaccess to prevent reading server-side files via apexpr from .htaccess - CVE-2026-29169: moddavlock: NULL pointer dereference in davgenericrefreshlocks use dpscan instead of dp - CVE-2026-33006: modauthdigest: timing attack —...

CLSA-2026-1778612609 httpd: Fix of 8 CVEs

CVE-2026-24072: use APEXPRFLAGRESTRICTED in htaccess - CVE-2026-29169: moddavlock: use the right davlockdiscovery - CVE-2026-33006: modauthdigest: use aprcryptoequals - CVE-2026-33007: modauthnsocache: validate URL earlier - CVE-2026-33523: scan outgoing status line for newlines and controls -...

CLSA-2026-1778490923 httpd: Fix of 9 CVEs

CVE-2026-33857: fix length checks in AJP msgget functions - CVE-2026-34032: fix ajpmsggetstring buffer checks - CVE-2026-34059: fix ajpparsedata message len check - CVE-2026-24072: use APEXPRFLAGRESTRICTED in htaccess - CVE-2026-29169: moddavlock: use the right davlockdiscovery - CVE-2026-33006:...

CVE-2026-41938

Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can uploa...

CVE-2026-41934

Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable via subsequent...

CLSA-2026-1778254552 httpd: Fix of 8 CVEs

CVE-2026-24072: modrewrite/modsetenvif: use APEXPRFLAGRESTRICTED in htaccess to prevent reading server-side files via apexpr from .htaccess - CVE-2026-29169: moddavlock: NULL pointer dereference in davgenericrefreshlocks use dpscan instead of dp - CVE-2026-33006: modauthdigest: timing attack —...

CLSA-2026-1778152899 httpd: Fix of 2 CVEs

CVE-2017-15710: modauthnzldap out-of-bounds write when accept-language header value is shorter than two characters - CVE-2017-15715: regex anchor in / can match before an embedded newline, allowing .htaccess bypass of trailing-extension filters...