EUVD-2026-28552

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper...

CVE-2026-42274

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw non-normalized request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy ca...

EUVD-2026-28510

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw non-normalized request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy ca...

CVE-2026-42274

CVE-2026-42274 affects Heimdall (cloud-native Identity Aware Proxy and Access Control Decision service). Before v0.17.14, it matches rules on raw, non-normalized request paths while downstream components normalize dot-segments per RFC 3986, potentially authorizing requests whose normalized path d...

CVE-2026-42274 Heimdall: Authorization bypass via path normalization mismatch

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw non-normalized request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy ca...

CVE-2026-42274 Heimdall: Authorization bypass via path normalization mismatch

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw non-normalized request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy ca...

SUSE CVE-2026-6321

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize and equal functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications...

Heimdall 安全漏洞

Heimdall is an open-source application panel and launcher developed by LinuxServer.io. Versions of Heimdall prior to 0.17.14 contained security vulnerabilities. These vulnerabilities stemmed from the use of the original request path for rule matching. Downstream components might normalize the que...

PT-2026-39265

Summary Bugsink’s webhook URL validation in versions 2.1.2 and earlier could be partially bypassed because of a mismatch in URL parsing. In some malformed URLs, Python’s standard URL parser urllib and the HTTP client stack requests / urllib3 do not agree on which host is actually being targeted...

Denial Of Service

Apache Neethi is vulnerable to Denial of Service DoS. The vulnerability is due to algorithmic complexity in the policy normalization process, where specially crafted WS-Policy documents trigger exponential Cartesian cross-product expansion, leading to excessive memory allocation and JVM heap...

Denial Of Service

Apache Neethi is vulnerable to Denial of Service.The vulnerability is due to improper handling of circular references during policy normalization, where recursive policy references are not detected, leading to infinite loops or excessive recursion that can cause stack overflow or application hang...

Saltcorn 输入验证错误漏洞

Saltcorn is an open-source, scalable, and code-free database application builder developed by Saltcorn developers. Vulnerabilities existed in versions prior to Saltcorn 1.4.6, 1.5.6, and 1.6.0-beta.5, due to input validation errors. These vulnerabilities stemmed from the dest parameter validation...

GHSA-2H4P-VJRC-8XPQ Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup

Summary On Windows, a URI using backslash traversal e.g. ....\ secret.txt bypasses the directory traversal check in Template.init and the posixpath-based normalization in TemplateLookup.gettemplate, allowing reads of files outside the configured template directory. Details The root cause is a...

Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root

Summary The make:controller CLI command calls mkdir..., recursive: true on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains /, but the recursive directory creation side effect...

PT-2026-38271

Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1 Description The make:controller CLI command allows arbitrary directory creation outside the project root. This occurs because the command calls mkdir..., recursive: true on a path constructed from a user-supplie...

MongoDB C Driver 安全漏洞

The MongoDB C Driver is an open-source library developed by MongoDB, designed to connect to and manipulate MongoDB databases in C-language programs. There is a security vulnerability in the MongoDB C Driver, which stems from the insecure string copying performed during username normalization by t...

PT-2026-38303

Name of the Vulnerable Software and Affected Versions Mako affected versions not specified Description On Windows, a path traversal issue exists where URIs using backslash traversal e.g., ....secret.txt can bypass directory traversal checks in Template. init and normalization in TemplateLookup.ge...

CVE-2026-39852

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP...

CVE-2026-39852

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP...

CVE-2026-39852

Summary of CVE-2026-39852 : Quarkus exposes an authorization bypass due to path normalization mismatch between the security layer and RESTEasy Reactive routing, which preserves semicolons (matrix parameters) in the raw URL while routing drops them for endpoint matching. This allows unauthenticate...