Lucene search
K

178 matches found

RedHat Linux
RedHat Linux
β€’added 6 days agoβ€’5 views

next.js: Next.js: Unauthorized access to protected content via middleware bypass

A flaw was found in Next.js. App Router applications that use middleware or proxy-based authorization checks are vulnerable to unauthorized access. A remote attacker can exploit this by crafting specific .rsc and segment-prefetch URLs, which bypass the intended middleware rules. This allows acces...

7.5CVSS5.9AI score0.01416EPSS
Exploits0References5
RedHat Linux
RedHat Linux
β€’added 6 days agoβ€’4 views

next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n

A flaw was found in Next.js. Applications utilizing the Pages Router with internationalization i18n configured and middleware or proxy-based authorization are susceptible to unauthorized access. A remote attacker can exploit this by making locale-less /next/data//.json requests, which bypass the...

7.5CVSS5.9AI score0.00551EPSS
Exploits1References5
NVD
NVD
β€’added 2026/07/01 12:16 p.m.β€’7 views

CVE-2026-14198

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to...

9.1CVSS0.00299EPSS
Exploits0References2
NVD
NVD
β€’added 2026/06/30 1:19 p.m.β€’12 views

CVE-2026-6556

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths arrays of paths and regular expressions are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms doe...

9.1CVSS0.00295EPSS
Exploits0References2
CVE
CVE
β€’added 2026/06/30 12:48 p.m.β€’14 views

CVE-2026-6556

The CVE concerns @fastify/express 4.0.6 and earlier, where non-string mount paths (arrays/regex) are not prefixed inside prefixed plugin scopes. This causes middleware registered with those forms to not match the actual prefixed request path, potentially bypassing path-scoped security middleware ...

9.1CVSS5.8AI score0.00295EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
β€’added 2026/06/30 12:48 p.m.β€’30 views

CVE-2026-6556 @fastify/express vulnerable to middleware bypass via non-string mount paths in prefixed plugins

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths arrays of paths and regular expressions are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms doe...

9.1CVSS0.00295EPSS
Exploits0References2
Metasploit
Metasploit
β€’added 2026/06/24 7:4 p.m.β€’153 views

Next.js Middleware Authorization Bypass Scanner

This module detects self-hosted Next.js applications affected by CVE-2025-29927, an authorization bypass in the middleware layer. Next.js tags its own internal subrequests with the x-middleware-subrequest header and skips middleware when it sees it. The header is trusted without verifying it...

9.1CVSS6.9AI score0.99621EPSS
Exploits58
CVE
CVE
β€’added 2026/06/22 8:48 p.m.β€’18 views

CVE-2026-54281

The CVE concerns NestJS with the Fastify adapter: an authentication bypass exists in @nestjs/platform-fastify before version 11.1.24 when middleware is registered via MiddlewareConsumer.forRoutes(). A trailing slash on the request URL can bypass route-specific Nest middleware on the default Fasti...

8.7CVSS5.9AI score0.00285EPSS
Exploits0References1
Cvelist
Cvelist
β€’added 2026/06/22 8:48 p.m.β€’31 views

CVE-2026-54281 Nest: Middleware Bypass on Fastify via Trailing Slash

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated clien...

8.7CVSS0.00285EPSS
Exploits0References1
Snyk
Snyk
β€’added 2026/06/15 8:36 p.m.β€’8 views

Incorrect Authorization

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Incorrect Authorization via the MiddlewareConsumer.forRoutes API on the Fastify adapter. An attacker can gain unauthorized access to...

8.7CVSS5.9AI score0.00285EPSS
Exploits0References2
CVE
CVE
β€’added 2026/06/12 1:41 p.m.β€’59 views

CVE-2026-53721

CVE-2026-53721 affects Nuxt (Vue.js framework) earlier branches: 3.11.0–3.21.6 and 4.0.0–4.4.6 are vulnerable to a route-rule middleware bypass caused by a case-sensitivity mismatch between vue-router and the routeRules matcher. The issue has been patched in Nuxt versions 3.21.7 and 4.4.7. The CV...

8.8CVSS5.2AI score0.00294EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
β€’added 2026/06/12 12:0 a.m.β€’15 views

PT-2026-48880

Name of the Vulnerable Software and Affected Versions Nuxt versions 3.11.0 through 3.21.6 Nuxt versions 4.0.0 through 4.4.6 Description A route-rule middleware bypass exists due to a case-sensitivity mismatch between vue-router and the routeRules matcher. Recommendations Update to version 3.21.7...

8.8CVSS5.2AI score0.00294EPSS
Exploits0References8
RedhatCVE
RedhatCVE
β€’added 2026/06/05 7:25 p.m.β€’10 views

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS5.4AI score0.00376EPSS
Exploits0References1
RedhatCVE
RedhatCVE
β€’added 2026/06/05 7:17 p.m.β€’10 views

CVE-2026-33804

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicat...

9.1CVSS5.4AI score0.00278EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
β€’added 2026/06/05 12:0 a.m.β€’30 views

VulnCheck KEV: CVE-2026-31816

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...

9.1CVSS5.6AI score0.15339EPSS
In wildExploits2References6
RedhatCVE
RedhatCVE
β€’added 2026/06/02 11:53 p.m.β€’17 views

CVE-2026-44575

A flaw was found in Next.js. App Router applications that use middleware or proxy-based authorization checks are vulnerable to unauthorized access. A remote attacker can exploit this by crafting specific .rsc and segment-prefetch URLs, which bypass the intended middleware rules. This allows acces...

7.5CVSS5.7AI score0.01416EPSS
Exploits0References4
RedhatCVE
RedhatCVE
β€’added 2026/06/02 11:53 p.m.β€’15 views

CVE-2026-44574

A flaw was found in Next.js. This vulnerability allows an attacker to bypass security checks in web applications that use Next.js middleware to protect specific web pages. By sending specially crafted web addresses, an attacker can access protected content without proper authorization. This could...

8.1CVSS5.6AI score0.00449EPSS
Exploits2References4
RedhatCVE
RedhatCVE
β€’added 2026/05/27 10:57 p.m.β€’13 views

CVE-2026-48710

A flaw was found in Starlette, a lightweight ASGI Asynchronous Server Gateway Interface framework. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP Host request header. This malformed header could cause the request.url to be incorrectly reconstructed, leading...

6.5CVSS5.8AI score0.01438EPSS
Exploits2References10
GithubExploit
GithubExploit
β€’added 2026/05/26 4:2 p.m.β€’104 views

patch-to-exploit

patch-to-exploit Lab + PoC scripts for "30 minutes from patch...

9.8CVSS6.1AI score0.84631EPSS
Exploits21
IBM Security Bulletins
IBM Security Bulletins
β€’added 2026/05/26 2:4 p.m.β€’12 views

Security Bulletin: Multiple Vulnerabilities in IBM Bob

Summary Multiple vulnerabilities were addressed in IBM Bob V 1.0.2 Vulnerability Details CVEID:CVE-2026-39407 DESCRIPTION: Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static...

8.7CVSS6.3AI score0.00612EPSS
Exploits4Affected Software1
Rows per page
Query Builder