Authentication Bypass Using an Alternate Path or Channel

Overview @nuxt/nitro-server is a Nitro server integration for Nuxt Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the route middleware. An attacker can gain unauthorized access to server-rendered page content by directly requesting...

[SECURITY] Fedora 43 Update: rust-eif_build-0.2.1-7.fc43

This CLI tool provides a low level path to assemble an enclave image format EIF file used in AWS Nitro Enclaves...

[SECURITY] Fedora 44 Update: rust-eif_build-0.2.1-7.fc44

This CLI tool provides a low level path to assemble an enclave image format EIF file used in AWS Nitro Enclaves...

Amazon Linux 2 : runc, --advisory ALAS2NITRO-ENCLAVES-2026-103 (ALASNITRO-ENCLAVES-2026-103)

The version of runc installed on the remote host is prior to 1.3.4-5. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2026-103 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memo...

Amazon Linux 2 : docker, --advisory ALAS2NITRO-ENCLAVES-2026-104 (ALASNITRO-ENCLAVES-2026-104)

The version of docker installed on the remote host is prior to 25.0.14-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2026-104 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C...

HTTP Request Smuggling

Overview @nuxt/nitro-server is a Nitro server integration for Nuxt Affected versions of this package are vulnerable to HTTP Request Smuggling via the nuxtisland endpoint when responses are not properly bound to request props, allowing shared-cache poisoning. An attacker can cause users to receive...

CVE-2026-44373

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...

CVE-2026-44372

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta...

CVE-2026-44372 Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta...

CVE-2026-44372 Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta...

CVE-2026-44372

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta...

CVE-2026-44372

CVE-2026-44372 affects Nitro, a server toolkit, with an Open Redirect via a protocol-relative URL bypass in wildcard route rules. Before the patch, a redirect rule using a wildcard could be manipulated to redirect cross-host by sliding an extra slash after the rule prefix. The issue is fixed in N...

CVE-2026-44373 Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...

CVE-2026-44373 Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...

CVE-2026-44373

The CVE-2026-44373 issue affects Nitro (server toolkit) where an attacker could bypass a proxy route rule by sending a percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward a request outside the configured scope. The vulnerability is tied to Nitro’s routeRules proxy handling...

CVE-2026-44373

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. This vulnerability is fixed in...

Nitro 路径遍历漏洞

Nitro is an open-source, zero-configurable production-level server extension tool developed by Nitro. Versions prior to Nitro 3.0.260429-beta contained a path traversal vulnerability. This vulnerability allowed attackers to send percent-encoded paths in URLs, causing Nitro to redirect requests to...

Nitro 输入验证错误漏洞

Nitro is an open-source, zero-configurable production-level server extension tool developed by Nitro. Versions prior to Nitro 3.0.260429-beta contained a vulnerability related to input validation errors. This vulnerability allowed attackers to convert wildcarded redirect rules into cross-host...

Malicious code in @tanstack/nitro-v2-vite-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f689866f0ed8e6cf47200b7bf613dd377c407e21d5ed6b2a0caf5252e822d8ff Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3464 Malicious code in @tanstack/nitro-v2-vite-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f689866f0ed8e6cf47200b7bf613dd377c407e21d5ed6b2a0caf5252e822d8ff Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...