159 matches found
fast-uri: fast-uri: URI authority bypass due to improper delimiter handling
A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier URI that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw...
fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies
A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator URL containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization...
CVE-2026-59923
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safeurl does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version...
CVE-2026-59923
CVE-2026-59923 affects Mistune, a Python Markdown parser. Before 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. The issue is fixed in version 3.3.0. E...
CVE-2026-59923 Mistune: XSS via percent-encoded javascript URI bypass in safe_url()
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safeurl does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version...
EUVD-2026-42324
OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx- HTTP header values with decodeURIComponent without handling decode errors, allowing an unauthenticated remote attacker to send a malformed...
PT-2026-56504
Name of the Vulnerable Software and Affected Versions @opentelemetry/propagator-jaeger versions prior to 2.9.0 Description The @opentelemetry/propagator-jaeger component decodes incoming uber-trace-id and uberctx- HTTP header values using the decodeURIComponent function without proper error...
fast-uri: fast-uri: URI authority bypass due to improper delimiter handling
A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier URI that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw...
CVE-2026-45822
A flaw was found in the decode-uri-component library. This vulnerability allows a remote attacker to trigger a Denial of Service DoS by submitting specially crafted input. The decode function, when processing a large number of encoded URI components, consumes excessive CPU resources, which can le...
CVE-2026-12243
A flaw was found in NLTK. An attacker can exploit a path traversal vulnerability by providing specially crafted input to nltk.data.load or nltk.data.find. This allows the attacker to read arbitrary files accessible to the Python process, leading to information disclosure. The vulnerability arises...
CVE-2026-12243
NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue 3504. The UNSAFENOPROTOCOLRE regex in nltk/data.py checks for literal ../ sequences but fails to account for percent-encoded traversal sequences such as ..%2f. The url2pathname function decodes...
DEBIAN-CVE-2026-12243
NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue 3504. The UNSAFENOPROTOCOLRE regex in nltk/data.py checks for literal ../ sequences but fails to account for percent-encoded traversal sequences such as ..%2f. The url2pathname function decodes...
EUVD-2026-40240
NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue 3504. The UNSAFENOPROTOCOLRE regex in nltk/data.py checks for literal ../ sequences but fails to account for percent-encoded traversal sequences such as ..%2f. The url2pathname function decodes...
CVE-2026-45807
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard onl...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the handler/router.go process. An attacker can access arbitrary files on the host filesystem by sending requests with percent-encoded backslashes %5C that bypass path sanitization. Details A Directory Traversal...
CVE-2026-53779 WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows
WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMGPATH directory by sending requests with percent-encoded backslashes %5C that bypass the path.Clean sanitization in handler/router.go...
CVE-2026-53779
WebP Server Go 0.14.4 is affected by a path traversal flaw on Windows. Attackers can exploit percent-encoded backslashes (%5C) to bypass path.Clean() in handler/router.go, taking advantage of Go’s forward-slash normalization vs Windows path APIs to read files outside IMG_PATH. CVE records indicat...
Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse rejects URLs containing raw Unicode explicit-direction BiDi formatting characters U+202A–U+202E, U+2066–U+2069 as a defense against visual-spoofing of the rendered href. The check covers only the raw UTF-8 forms of thos...
SUSE CVE-2026-6322
fast-uri normalize decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator...
PT-2026-49066
Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.63.6 Description An issue exists where the software fails to properly normalize file paths when creating zip or tar archives on Linux hosts. Specifically, the getFiles function uses filepath.ToSlash, which does...