io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files

A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response...

CVE-2026-40246

free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when...

EUVD-2021-21468

Malware in sbrugna...

EUVD-2021-18529

Malware in sbrugna...

EUVD-2022-1169

Malicious code in bioql PyPI...

CVE-2020-27219

In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 Not Found JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client...

CVE-2010-3903

Unspecified vulnerability in OpenConnect before 2.23 allows remote AnyConnect SSL VPN servers to cause a denial of service application crash via a 404 HTTP status code...

Spinning wheel during store access for German users, after Storefront upgrade from 2402 to 2402 CU1

Issue: After upgrading Storefront from 2402 to 2402 CU1, German language users may experience a spinning wheel during store access. This does not apply when upgrading from earlier versions of StoreFront, such as from 2203 to 2402 CU1. Symptoms or Error: The developer tool shows Http 404 error for...

mpelqen.com Cross Site Scripting vulnerability OBB-3904804

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

New Timing Attack Against NPM Registry API Could Expose Private Packages

A novel timing attack discovered against the npm's registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats. "By creating a list of possible package names, threat actors can detect organizations' scoped privat...

Cross-site scripting vulnerability exists in Jenkins and Stapler Plugin

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in...

GHSA-RCVX-RMVF-MXCH Cross-site Scripting in Eclipse Hawkbit

In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 Not Found JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client...

Cross-site Scripting in Eclipse Hawkbit

In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 Not Found JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client...

CVE-2021-34821

Cross Site Scripting XSS vulnerability exists in AAT Novus Management System through 1.51.2. The WebUI has wrong HTTP 404 error handling implemented. A remote, unauthenticated attacker may be able to exploit the issue by sending malicious HTTP requests to non-existing URIs. The value of the URL...

CVE-2021-34821

CVE-2021-34821 affects AAT Novus Management System (NMS) up to version 1.51.2. The WebUI improperly handles 404s, allowing a remote, unauthenticated attacker to issue requests to non-existent URIs. The vulnerability stems from the URL path filename being copied into the HTML document as plain tex...

CVE-2021-34821

Cross Site Scripting XSS vulnerability exists in AAT Novus Management System through 1.51.2. The WebUI has wrong HTTP 404 error handling implemented. A remote, unauthenticated attacker may be able to exploit the issue by sending malicious HTTP requests to non-existing URIs. The value of the URL...

CVE-2021-31641

An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC due to a lack of sanitization when the HTTP 404 message is generated...

Design/Logic Flaw

An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC due to a lack of sanitization when the HTTP 404 message is generated...

CVE-2021-31641

An unauthenticated XSS vulnerability exists in several IoT devices from CHIYU Technology, including BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC due to a lack of sanitization when the HTTP 404 message is generated...

CVE-2021-31641

ChiYu IoT devices BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, BF-MINI-W and SEMAC are affected by an unauthenticated XSS vulnerability. The root cause is lack of sanitization when generating HTTP 404 responses, enabling remote scripting via network access. Public documentation con...