32 matches found
Interpretation Conflict
Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the resolveNormalizationOptions function's deprecated ignoreDuplicateSlashes configuration option. An attacker can bypass middleware by crafting URLs with...
GHSA-V92G-XGXW-VVMM Mako: Path traversal via double-slash URI prefix in TemplateLookup
Summary TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations: - Template.init strips one leading / using if/slice - TemplateLookup.gettemplate strips all...
Exploit for CVE-2026-25890
CVE-2026-25890 - FileBrowser Access Control Bypass !Authorh...
GO-2026-4474 File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL in github.com/filebrowser/filebrowser
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL in github.com/filebrowser/filebrowser...
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL
Summary An authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes e.g., //private/ to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting...
Incorrect Authorization
Overview github.com/filebrowser/filebrowser/v2/http is a web file browser. Affected versions of this package are vulnerable to Incorrect Authorization via improper normalization of URL paths in the rules. An attacker can gain unauthorized access to restricted files and perform unauthorized...
CVE-2026-25890
Summary: CVE-2026-25890 affects File Browser prior to 2.57.1, where an authenticated user can bypass the file-path disallow rules by adding multiple slashes (e.g., //private/) to the request URL. The authorization check fails to match the rule while the underlying filesystem resolves the path, gr...
CVE-2026-25890 File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashe...
CVE-2026-25890 File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashe...
EUVD-2021-1974
Malware in sbrugna...
python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
A vulnerability was found in python. This security flaw causes an open redirection vulnerability in lib/http/server.py due to no protection against multiple / at the beginning of the URI path. This issue may lead to information disclosure...
python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
A vulnerability was found in python. This security flaw causes an open redirection vulnerability in lib/http/server.py due to no protection against multiple / at the beginning of the URI path. This issue may lead to information disclosure...
SUSE CVE-2015-0557
Open-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive...
SUSE CVE-2015-2750
Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence...
SUSE CVE-2021-28861
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple / at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states...
python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
A vulnerability was found in python. This security flaw causes an open redirection vulnerability in lib/http/server.py due to no protection against multiple / at the beginning of the URI path. This issue may lead to information disclosure...
python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
A vulnerability was found in python. This security flaw causes an open redirection vulnerability in lib/http/server.py due to no protection against multiple / at the beginning of the URI path. This issue may lead to information disclosure...
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
...
UBUNTU-CVE-2021-28861
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple / at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states...
CVE-2021-28861
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple / at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states...