74 matches found
CVE-2026-46341 Apify MCP server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching
The Apify MCP server enables AI agents to extract data from websites using ready-made scrapers, crawlers, and automation tools available on the Apify Store. Prior to 0.9.21, the fetch-apify-docs tool in src/tools/common/fetchapifydocs.ts validates allowlisted documentation domains with...
CVE-2026-46341
CVE-2026-46341 affects Apify MCP Server prior to v0.9.21, where fetch-apify-docs.ts validates allowed domains with a startsWith() check instead of proper hostname comparison, enabling attacker-controlled subdomains (e.g., https://docs.apify.com.evil.com/ or https://[email protected]/) to pa...
CVE-2026-46341 Apify MCP server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching
The Apify MCP server enables AI agents to extract data from websites using ready-made scrapers, crawlers, and automation tools available on the Apify Store. Prior to 0.9.21, the fetch-apify-docs tool in src/tools/common/fetchapifydocs.ts validates allowlisted documentation domains with...
CVE-2026-56015
Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length. add passes the prefix string to the trie builder addPrefixToTrie without checking it against the address width. addPrefixToTrie then walks the prefix buffer by prefixlength bits, reading...
CVE-2026-45692
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different...
GHSA-529G-XQ4F-CW38 @astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config
Summary @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remoteimages regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as .example.com is converted to an optional subdomain regex, so the apex host matches....
EUVD-2026-36627
OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoin...
CVE-2026-53839
OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoin...
CVE-2026-53839 OpenClaw < 2026.5.7 - Hostname Prefix Matching Bypass in Trusted Retry Endpoint Validation
OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoin...
PT-2026-49064
Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.63.6 Description Public share handlers rebase the share owner's filesystem root to the shared directory and evaluate descendant paths against global and per-user rules using the rebased relative path instead of...
GHSA-GX7W-56W6-G48X Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching
AI Disclosure I used an LLM to help review the source code, reason about attack surface, and help draft and refine this report. I manually validated the finding by reproducing it locally, confirming the vulnerable code path, and verifying the HTTP behavior with curl -v. Summary Caddy's remote adm...
PT-2026-41964
Name of the Vulnerable Software and Affected Versions Caddy versions 2.4.0 through 2.11.2 Description An authorization-to-object mismatch exists in the remote admin functionality. The authorization layer uses string prefix matching, while the /config traversal layer parses array indices numerical...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the group subscription process. An attacker can gain unauthorized access to groups that were not intended to be accessible by creating groups with prefixes matching those of whitelisted groups. Remediation A...
CVE-2026-6342 Group prefix matching bypass for subscriptions
Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID:...
PT-2026-41647
Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID:...
Rack::Static prefix matching can expose unintended files under the static root
Summary Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or...
CVE-2026-34785
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with...
CVE-2026-34785
CVE-2026-34785 affects Rack (modular Ruby web server interface). Vulnerable component: Rack::Static. Issue: a simplistic string-prefix check for URL prefixes (e.g., "/css") causes matches on paths starting with that string, potentially serving files under the static root whose names merely share ...
CVE-2026-34785 Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with...
CVE-2026-34785 Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with...