303 matches found
Interpretation Conflict
Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the propagation of middleware paths to child plugin scopes due to incorrect re-prefixing. An attacker can gain unauthorized access to protected routes by...
Improper Input Validation
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Input Validation via the getCookie function. An attacker can override legitimate cookies and bypass prefix protections by setting cookies with non-breaking space prefixes, leadin...
Linux Distros Unpatched Vulnerability : CVE-2026-34785
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static...
EUVD-2026-18382
Rack::Static prefix matching can expose unintended files under the static root...
DEBIAN-CVE-2026-34785
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with...
CVE-2026-34785
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with...
CVE-2026-32716
A flaw was found in SciTokens. The Enforcer component incorrectly validates scope paths by using a simple prefix match. This allows an attacker with a valid token for a specific path to gain unauthorized access to sibling paths that share the same prefix. This authorization bypass can lead to...
PT-2026-29401
Name of the Vulnerable Software and Affected Versions: SiYuan versions 3.6.0 through 3.6.1 Description: SiYuan is a personal knowledge management system. The SanitizeSVG function, introduced in version 3.6.0 to address XSS in the unauthenticated /api/icon/getDynamicIcon endpoint, can be bypassed ...
SUSE CVE-2026-32941
Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM Out-of-Memory vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an...
CVE-2026-32941
Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM Out-of-Memory vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an...
CVE-2026-32941
Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM Out-of-Memory vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an...
CVE-2026-32941 Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports
Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM Out-of-Memory vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an...
CVE-2026-22217
OpenClaw version 2026.2.22 prior to 2026.2.23 contains an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL environment variabl...
GO-2026-4697 SFTPGo improperly sanitizes placeholders in group home directories/key prefixes in github.com/drakkan/sftpgo
SFTPGo improperly sanitizes placeholders in group home directories/key prefixes in github.com/drakkan/sftpgo...
CVE-2026-30915 SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
CVE-2026-30915 SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using...
EUVD-2026-12073
SFTPGo improperly sanitizes placeholders in group home directories/key prefixes...
SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
Impact SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the...
GHSA-M83Q-5WR4-4GFP SFTPGo improperly sanitizes placeholders in group home directories/key prefixes
Impact SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the...
GHSA-F6H3-846H-2R8W OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization
Summary In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit. Context OpenClaw is commonly used in 1:1 chats or trusted group...