Lucene search
K

12 matches found

Vulnrichment
Vulnrichment
added 2026/05/28 3:26 p.m.9 views

CVE-2026-47676 Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the...

5.3CVSS5.8AI score0.0026EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.12 views

DeepCode 路径遍历漏洞

DeepCode is a multi-agent code generation tool open-source by Data Intelligence Lab@HKU. Previous versions of DeepCode c991dc2 contained a path traversal vulnerability. This vulnerability originated from the SPA catch-all route in newui/backend/main.py, which had a path traversal vulnerability...

8.7CVSS6AI score0.00376EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.13 views

Nitro 路径遍历漏洞

Nitro is an open-source, zero-configurable production-level server extension tool developed by Nitro. Versions prior to Nitro 3.0.260429-beta contained a path traversal vulnerability. This vulnerability allowed attackers to send percent-encoded paths in URLs, causing Nitro to redirect requests to...

5.3CVSS5.8AI score0.00392EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/06 11:1 p.m.6 views

Directory Traversal

Overview org.webjars.npm:nitropack is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Directory Traversal via the routeRules function. An attacker can access files or endpoints outside the intended proxy scope by sending specially crafted URLs...

6.9CVSS6.3AI score0.00392EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/05/04 7:31 p.m.7 views

CVE-2026-6321

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize and equal functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications...

7.5CVSS5.8AI score0.00521EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/04/16 7:58 p.m.6 views

CVE-2026-6414

A flaw was found in @fastify/static. A remote attacker can exploit this vulnerability by sending specially crafted requests that include percent-encoded path separators. This mismatch in how @fastify/static decodes these separators compared to the Fastify router allows the attacker to bypass...

5.9CVSS5.7AI score0.00398EPSS
Exploits0References7
Snyk
Snyk
added 2026/04/02 6:20 p.m.6 views

Improper Handling of Length Parameter Inconsistency

Overview rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a singl...

6.5CVSS5.9AI score0.00147EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/02 4:43 p.m.15 views

CVE-2026-34831 Rack: Content-Length mismatch in Rack::Files error responses

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Filesfail sets the Content-Length response header using Stringsize instead of Stringbytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the...

4.8CVSS0.00147EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.7 views

PT-2026-29819

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 Description Rack’s Rack::Filesfail function incorrectly calculates the Content-Length response header using Stringsize instead of Stringbytesize. This occurs when the response body contains...

7.5CVSS5.9AI score0.00209EPSS
Exploits0References54
Snyk
Snyk
added 2026/03/18 4:18 p.m.4 views

Directory Traversal

Overview org.webjars.npm:h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access arbitrary files outside the intended static directory by sending crafted...

8.2CVSS6.5AI score
Exploits0References2
OSV
OSV
added 2023/06/09 7:31 p.m.12 views

GHSA-VCVG-XGR8-P5GQ Arbitrary file read using percent-encoded relative paths in FileMiddleware

Impact Attackers can access data at arbitrary filesystem paths on the same host as an application using FileMiddleware. Patches Version 4.29.4 Workarounds Upgrade to 4.24.4 or later, or disable FileMiddleware. References Introduced in https://github.com/vapor/vapor/pull/2223 Fixed by...

6.5CVSS7.2AI score0.0153EPSS
Exploits0References5
Snyk
Snyk
added 2022/11/02 2:36 p.m.2 views

Arbitrary File Read

Overview vapor/vapor is an a server-side Swift HTTP web framework. Affected versions of this package are vulnerable to Arbitrary File Read. This can be caused by using percent-encoded relative paths in FileMiddleware. Remediation Upgrade vapor/vapor to version 4.29.4 or higher. References - GitHu...

8.5CVSS6.9AI score0.0153EPSS
Exploits0References2
Rows per page
Query Builder