Lucene search
K

633 matches found

Patchstack
Patchstack
added 2026/05/06 11:2 p.m.9 views

NPM: Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

NPM: Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules vulnerability discovered by ? in WordPress Npm nitropack versions 2.13.4...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/05/06 11:2 p.m.3 views

GHSA-9PHM-9P8F-HW5M Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

A redirect route rule like: ts routeRules: "/legacy/": redirect: "/" is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit: GET /legacy//evil.com Nitro...

6.1CVSS5.8AI score0.00237EPSS
Exploits0References7
vulnersOsv
vulnersOsv
added 2026/05/06 11:2 p.m.7 views

@100x/application (>=0.0.1 <=0.0.6), @aero-js/cli (=0.4.0) +39 more potentially affected by CVE-2026-44372 via nitro (>=3.0.0 <=3.0.260415-beta)

nitro NPM version =3.0.0, =0.0.1, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.1.0, =0.1.0, =0.4.2, =2.4.0-alpha.2, =2.4.0-alpha.2, =3.0.0-alpha.55 and more Source cves: CVE-2026-44372 Source advisory: SNYK:JS-NITRO-16757947...

6.1CVSS5.7AI score0.00237EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/05/06 11:2 p.m.9 views

Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

A redirect route rule like: ts routeRules: "/legacy/": redirect: "/" is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit: GET /legacy//evil.com Nitro...

6.1CVSS5.8AI score0.00237EPSS
Exploits0References7Affected Software2
Snyk
Snyk
added 2026/05/06 11:1 p.m.15 views

Directory Traversal

Overview nitro is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Directory Traversal via the routeRules function. An attacker can access files or endpoints outside the intended proxy scope by sending specially crafted URLs containing...

6.9CVSS6.3AI score0.00392EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/05/06 11:1 p.m.6 views

@100x/application (>=0.0.1 <=0.0.6), @aero-js/cli (=0.4.0) +39 more potentially affected by CVE-2026-44373 via nitro (>=3.0.0 <=3.0.260415-beta)

nitro NPM version =3.0.0, =0.0.1, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.1.0, =0.1.0, =0.4.2, =2.4.0-alpha.2, =2.4.0-alpha.2, =3.0.0-alpha.55 and more Source cves: CVE-2026-44373 Source advisory: SNYK:JS-NITRO-16757954...

5.3CVSS5.7AI score0.00392EPSS
Exploits0
Patchstack
Patchstack
added 2026/05/06 11:1 p.m.10 views

NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`

NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in routeRules vulnerability discovered by ? in WordPress Npm nitropack versions 2.13.4...

5.3CVSS5.8AI score0.00392EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/05/06 11:1 p.m.6 views

GHSA-5W89-W975-HF9Q Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`

A proxy route rule like: ts routeRules: "/api/orders/": proxy: to: "http://upstream/orders/" is intended to limit the proxy to URLs under /api/orders/. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a...

5.3CVSS5.8AI score0.00392EPSS
Exploits0References7
vulnersOsv
vulnersOsv
added 2026/05/06 11:1 p.m.6 views

@100x/application (>=0.0.1 <=0.0.6), @aero-js/cli (=0.4.0) +42 more potentially affected by CVE-2026-44373 via nitro (>=0.0.0 <=3.0.260415-beta)

nitro NPM version =0.0.0, =0.0.1, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.1.0, =0.1.0, =0.4.2, =2.4.0-alpha.2, =2.4.0-alpha.2, =3.0.0-alpha.55 and more Source cves: CVE-2026-44373 Source advisory: OSV:GHSA-5W89-W975-HF9Q...

5.3CVSS5.7AI score0.00392EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/06 11:1 p.m.5 views

@bicou/countries-server (>=1.6.0 <=1.6.7), @gabortorma/feathers-nitro-adapter (>=0.5.0 <=0.6.0) +10 more potentially affected by CVE-2026-44373 via nitropack (>=2.10.4 <=2.13.1)

nitropack NPM version =2.10.4, =1.6.0, =0.5.0, =0.6.1, =1.0.0, =4.0.0, =4.0.0-29145487.7beaa672, =2.0.0-beta.131, =1.0.2, =4.0.0, =0.1.0, =4.0.0-29145487.7beaa672, =4.0.1-29212698.365e81c1 Source cves: CVE-2026-44373 Source advisory: SNYK:JS-NITROPACK-16757953...

5.3CVSS5.4AI score0.00392EPSS
Exploits0
Patchstack
Patchstack
added 2026/05/06 11:1 p.m.8 views

NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`

NPM: Nitro has a proxy scope bypass via percent-encoded path traversal in routeRules vulnerability discovered by ? in WordPress Npm nitro versions 3.0.260429-beta...

5.3CVSS5.8AI score0.00392EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 11:1 p.m.8 views

Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`

A proxy route rule like: ts routeRules: "/api/orders/": proxy: to: "http://upstream/orders/" is intended to limit the proxy to URLs under /api/orders/. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal ..%2f in the URL, causing Nitro to forward a...

5.3CVSS5.8AI score0.00392EPSS
Exploits0References7Affected Software2
Amazon
Amazon
added 2026/04/30 12:0 a.m.8 views

Low: aws-nitro-tpm-tools

Issue Overview: time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used...

6.8CVSS5.3AI score0.00291EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/04/14 7:23 p.m.5 views

CVE-2025-69627

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc. During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper...

8.4CVSS5.8AI score0.00199EPSS
Exploits0References1
Amazon
Amazon
added 2026/04/14 12:0 a.m.12 views

Medium: oci-add-hooks

Issue Overview: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which t...

7.5CVSS5.9AI score0.00728EPSS
Exploits0
Amazon
Amazon
added 2026/04/14 12:0 a.m.6 views

Medium: amazon-ecr-credential-helper

Issue Overview: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which t...

7.5CVSS5.9AI score0.00728EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/04/14 12:0 a.m.3 views

Amazon Linux 2 : oci-add-hooks, --advisory ALAS2NITRO-ENCLAVES-2026-096 (ALASNITRO-ENCLAVES-2026-096)

The version of oci-add-hooks installed on the remote host is prior to 0-0.8.20200504git325a340. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2026-096 advisory. url.Parse insufficiently validated the host/authority component and accepted some...

7.5CVSS7.4AI score0.00728EPSS
Exploits0References8
EUVD
EUVD
added 2026/04/13 6:30 p.m.3 views

EUVD-2025-209415

A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service DoS via a crafted XFA packet...

7.5CVSS5.8AI score0.00442EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/13 6:30 p.m.4 views

EUVD-2025-209419

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc. During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper...

5.8AI score0.00199EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/13 6:30 p.m.2 views

EUVD-2025-209417

Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert. When app.alert is called with more than one argument and the first argument evaluates to null for example, app.alertapp.activeDocs, true when app.activeDocs is null...

7.5CVSS5.8AI score0.00428EPSS
Exploits0References2
Rows per page
Query Builder