Lucene search
K

65 matches found

Cvelist
Cvelist
added 2026/03/24 6:40 p.m.20 views

CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

6.5CVSS0.00331EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.6 views

PT-2026-27487

Name of the Vulnerable Software and Affected Versions Astro versions prior to 10.0.2 Description Astro, a web framework, contains a flaw in the @astrojs/vercel serverless entrypoint. Versions prior to 10.0.2 do not authenticate requests using the x-astro-path header or x astro path query paramete...

9.1CVSS5.9AI score0.00331EPSS
Exploits1References10
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.10 views

Astro 安全漏洞

Astro is a content-driven website framework developed by Astro OpenSource. Versions of Astro prior to 10.0.2 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authentication when reading the x-astro-path header and the xastropath query parameters, which could lead...

9.1CVSS5.8AI score0.00331EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/23 10:53 a.m.11 views

CVE-2026-33186

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

9.1CVSS5.8AI score0.01557EPSS
Exploits1References4
NVD
NVD
added 2026/03/20 11:16 p.m.5 views

CVE-2026-33186

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory...

9.1CVSS0.01557EPSS
Exploits1References166
OSV
OSV
added 2026/03/20 10:23 p.m.8 views

CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory...

9.1CVSS6AI score0.01557EPSS
Exploits1References3
AlpineLinux
AlpineLinux
added 2026/03/20 10:23 p.m.2 views

CVE-2026-33186

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory...

9.1CVSS5.9AI score0.01557EPSS
Exploits1
Cvelist
Cvelist
added 2026/03/20 10:23 p.m.42 views

CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory...

9.1CVSS0.01557EPSS
Exploits1References1
CVE
CVE
added 2026/03/20 10:23 p.m.379 views

CVE-2026-33186

Summary: CVE-2026-33186 affects gRPC-Go prior to 1.79.3, where Authorization bypass could occur due to improper input validation of the HTTP/2 :path header. The server accepted non-canonical paths like Service/Method (missing leading slash), causing canonical “deny” rules in path-based authorizat...

9.1CVSS5.9AI score0.01557EPSS
Exploits1References166Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/20 10:23 p.m.3 views

CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory...

9.1CVSS5.9AI score0.01557EPSS
Exploits1References1
Snyk
Snyk
added 2026/03/18 8:10 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 :path pseudo-headers in handleStream. An attacker can gain unauthorized access to restricted resources by sending requests with malformed :path headers that omit the leading slash. Thi...

9.3CVSS5.8AI score0.01557EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/18 8:10 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 :path pseudo-headers in handleStream. An attacker can gain unauthorized access to restricted resources by sending requests with malformed :path headers that omit the leading slash. Thi...

9.3CVSS5.8AI score0.01557EPSS
Exploits1References2
Redos
Redos
added 2026/02/09 12:0 a.m.7 views

ROS-20260209-73-0004

A vulnerability in the onframerecvcallback function soup-server-message-io-http1.c of the GNOME GUI libsoup library is related to misinterpretation of input data when processing :scheme, :authority, and :path pseudo headers. Exploitation of the vulnerability could allow an attacker acting remotel...

7.5CVSS5.6AI score0.00502EPSS
Exploits0
EUVD
EUVD
added 2025/10/07 9:30 a.m.6 views

EUVD-2025-32704

A vulnerability was detected in jakowenko double-take up to 1.13.1. The impacted element is the function app.use of the file api/src/app.js of the component API. The manipulation of the argument X-Ingress-Path results in cross site scripting. The attack can be executed remotely. Upgrading to...

5.3CVSS5.5AI score0.00321EPSS
Exploits0References6
CVE
CVE
added 2025/10/07 9:2 a.m.12 views

CVE-2025-11360

CVE-2025-11360 affects jakowenko double-take up to 1.13.1, specifically the API component (api/src/app.js). The vulnerability arises from manipulating the X-Ingress-Path in app.use, enabling cross-site scripting that can be exploited remotely. A fix is available in version 1.13.2; the patch is id...

5.3CVSS4.2AI score0.00321EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2025/10/07 12:0 a.m.4 views

PT-2025-40975

Name of the Vulnerable Software and Affected Versions jakowenko double-take versions up to 1.13.1 Description A flaw exists in the API component of jakowenko double-take. The issue is related to the app.use function within the api/src/app.js file. Manipulation of the X-Ingress-Path argument can...

5.3CVSS4AI score0.00321EPSS
Exploits0References9
SUSE CVE
SUSE CVE
added 2025/04/16 2:35 a.m.3 views

SUSE CVE-2025-32908

A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service DoS...

7.5CVSS6.4AI score0.00502EPSS
Exploits0References8
OSV
OSV
added 2025/04/14 2:15 p.m.2 views

DEBIAN-CVE-2025-32908

A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service DoS...

7.5CVSS7.1AI score0.00502EPSS
Exploits0References1
OSV
OSV
added 2023/12/26 5:27 p.m.6 views

CLSA-2023-1703611617 Fix CVE(s): CVE-2023-45539

SECURITY UPDATE: Accepting '' as part of the URI component might allow remote attackers to obtain sensitive information or have unspecified other impact - debian/patches/CVE-2023-45539.patch: h1: do not accept '' as part of the URI component; h2: reject more chars from the :path pseudo header -...

8.2CVSS6.8AI score0.01526EPSS
Exploits0References1
OSV
OSV
added 2023/12/21 6:1 p.m.4 views

CLSA-2023-1703181677 haproxy: Fix of CVE-2023-45539

CVE-2023-45539: h1: do not accept '' as part of the URI component; h2: reject more chars from the :path pseudo header...

8.2CVSS6.8AI score0.01526EPSS
Exploits0References1
Rows per page
Query Builder