Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching

AI Disclosure I used an LLM to help review the source code, reason about attack surface, and help draft and refine this report. I manually validated the finding by reproducing it locally, confirming the vulnerable code path, and verifying the HTTP behavior with curl -v. Summary Caddy's remote adm...

CVE-2026-40876

CVE-2026-40876 (goshs) describes an SFTP jail-escape due to a prefix-based path validation bug in the sftpserver.helper.go sanitizePath implementation. The code uses a raw string-prefix check to validate the target path against the configured root, which allows a sibling path (e.g., /tmp/goshsroo...

SUSE CVE-2026-32716

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match startswith. This allows a token with access to a specific path e.g., /john to also access sibling paths that start with the sa...

PT-2026-29184

Name of the Vulnerable Software and Affected Versions SciTokens versions prior to 1.9.6 Description SciTokens is a library for generating and using SciTokens. The Enforcer component incorrectly validates scope paths using a simple prefix match, allowing a token with access to a specific path to...

CVE-2026-23942

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Erlang OTP sshsftpd module allows Path Traversal. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl and program routines sshsftpd:iswithinroot/2. The SFTP server uses string...

jenkins: Missing permission check for paths with specific prefix

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission...