Lucene search
K

76 matches found

OSV
OSV
added 2026/03/30 5:5 p.m.2 views

GHSA-GM2X-2G9H-CCM8 go-git missing validation decoding Index v4 files leads to panic

Impact go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This...

2.8CVSS5.9AI score0.00153EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/30 12:0 a.m.4 views

PT-2026-29156

Name of the Vulnerable Software and Affected Versions go-git versions prior to 5.17.1 Description The go-git library’s index decoder for Git index format version 4 does not properly validate the path name prefix length before applying it to the previously decoded path name. A specially crafted...

2.8CVSS5.9AI score0.00153EPSS
Exploits0References177
NVD
NVD
added 2026/03/13 7:54 p.m.11 views

CVE-2026-23942

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Erlang OTP sshsftpd module allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl and program routines sshsftpd:iswithinroot/2. The SFTP server uses string...

5.4CVSS0.00363EPSS
Exploits0References7
OSV
OSV
added 2026/03/13 7:54 p.m.6 views

UBUNTU-CVE-2026-23942

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Erlang OTP sshsftpd module allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl and program routines sshsftpd:iswithinroot/2. The SFTP server uses string...

5.4CVSS5.8AI score0.00363EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/03/13 9:11 a.m.26 views

CVE-2026-23942 SFTP root escape via component-agnostic prefix check in ssh_sftpd

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Erlang OTP sshsftpd module allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl and program routines sshsftpd:iswithinroot/2. The SFTP server uses string...

5.3CVSS0.00363EPSS
Exploits0References7
OSV
OSV
added 2026/02/18 7:21 p.m.4 views

UBUNTU-CVE-2026-22860

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../rootexample/ can escape the configured root if the target path starts with the root string, allowing directory...

7.5CVSS6.7AI score0.00665EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/01/19 12:0 a.m.6 views

@fastify/middie security vulnerabilities

@fastify/middie is an open-source middleware engine developed by Fastify. Versions of @fastify/middie prior to 9.1.0 contained security vulnerabilities. These vulnerabilities were due to improper path prefix matching, which could allow the middleware to bypass security checks...

8.8CVSS5.8AI score0.00457EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/01/19 12:0 a.m.8 views

@fastify/express security vulnerability

@fastify/express is a compatibility plugin developed by Fastify. Versions of @fastify/express prior to 4.0.3 contained security vulnerabilities. These vulnerabilities were caused by improper path prefix matching, which could allow middleware to bypass security checks...

8.4CVSS5.8AI score0.00321EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/19 12:0 a.m.13 views

PT-2026-3452

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.3 Description A security issue exists in the @fastify/express plugin, which provides Express compatibility for Fastify. The problem occurs when middleware is registered with a specific path prefix...

8.4CVSS5.3AI score0.00321EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/01/01 12:0 a.m.11 views

PT-2026-20305

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.22 Rack versions prior to 3.1.20 Rack versions prior to 3.2.5 Description The Rack::Directory component had a path check that used a string prefix match on the expanded path. A crafted request, such as /../root...

10CVSS5.5AI score0.35376EPSS
Exploits6References55
CVE
CVE
added 2025/11/12 9:40 p.m.707 views

CVE-2025-64500

Affected component: Symfony HttpFoundation (Symfony PHP framework). Vulnerability: The Request class improperly interprets some PATH_INFO, allowing representation of URLs without a leading slash and potentially bypassing access-control rules that assume a leading “/”. Versions and root cause: Pri...

7.3CVSS6.1AI score0.01326EPSS
Exploits0References5Affected Software2
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2025-23570

Malicious code in bioql PyPI...

6.9CVSS6.3AI score0.00668EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2025/08/07 12:31 a.m.12 views

CVE-2025-54387

IPX is an image optimizer powered by sharp and svgo. In versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0, the approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path...

6.9CVSS6AI score0.00668EPSS
Exploits1References1
NVD
NVD
added 2025/08/05 1:15 a.m.17 views

CVE-2025-54387

IPX is an image optimizer powered by sharp and svgo. In versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0, the approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path...

9.8CVSS0.00668EPSS
Exploits1References5
OSV
OSV
added 2025/08/05 12:10 a.m.8 views

CVE-2025-54387 IPX is Vulnerable to Path Traversal via Prefix Matching Bypass

IPX is an image optimizer powered by sharp and svgo. In versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0, the approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path...

6.9CVSS6.5AI score0.00668EPSS
Exploits1References7
CNNVD
CNNVD
added 2025/08/05 12:0 a.m.5 views

IPX 安全漏洞

IPX is an image optimizer open-sourced by UnJS. A security vulnerability exists in IPX versions 1.3.1 and earlier, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0, which stems from improper path prefix checking and could lead to path prefix bypass...

9.8CVSS6.4AI score0.00668EPSS
Exploits1References6
Snyk
Snyk
added 2025/05/28 2:25 p.m.1 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal when using the PathPrefix, Path, or PathRegex route matchers. An attacker can target a backend exposed using another router, by-passing the middleware chain by crafting a request with a manipulated path using...

6.3CVSS7.6AI score0.00784EPSS
Exploits0References2
Snyk
Snyk
added 2025/05/28 2:25 p.m.2 views

Directory Traversal

Overview github.com/traefik/traefik/v2/pkg/server is a server package for traefik, a cloud native edge router. Affected versions of this package are vulnerable to Directory Traversal when using the PathPrefix, Path, or PathRegex route matchers. An attacker can target a backend exposed using anoth...

6.3CVSS7.7AI score0.00784EPSS
Exploits0References2
Snyk
Snyk
added 2025/05/28 2:25 p.m.1 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal when using the PathPrefix, Path, or PathRegex route matchers. An attacker can target a backend exposed using another router, by-passing the middleware chain by crafting a request with a manipulated path using...

6.3CVSS7.6AI score0.00784EPSS
Exploits0References2
Snyk
Snyk
added 2025/04/21 3:40 p.m.1 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal when routing requests to a backend using a PathPrefix, Path, or PathRegex matcher. An attacker can bypass the middleware chain to access backend services by including traversal sequences like /../ in a request. Detai...

9.3CVSS7.7AI score0.00768EPSS
Exploits0References2
Rows per page
Query Builder