PT-2026-50152

Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.84.0 Description A Host-header parsing flaw in the LiteLLM proxy allows unauthenticated access to protected management routes. The authentication layer derives the effective route from request.url.path in the get...

CVE-2026-39411

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR ke...

Authentication Bypass

github.com/traefik/traefik is vulnerable to an authentication bypass. The vulnerability is due to improper sanitization of forwarded header alias variants using underscores instead of dashes, which allows an attacker to inject spoofed trusted headers and bypass authentication on protected routes...

Authentication Bypass

Apache Camel is vulnerable to Authentication Bypass. The vulnerability is due to the authentication handler matching only the exact configured context path, not its subpaths, where unauthenticated requests to subpaths can reach protected business routes and management endpoints without being...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the default authentication path to / when not explicitly configured in BasicAuthenticationConfigurer and JWTAuthenticationConfigurer. An attacker can access protected business...

Incorrect Authorization

Overview @clerk/shared is an Internal package utils used by the Clerk SDKs Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected...

CVE-2026-39411

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR ke...

GHSA-XG6X-H9C9-2M83 Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)

Summary Under certain configurations, sessions may be considered valid before two-factor authentication 2FA is fully completed. This can allow access to authenticated routes without verifying the second factor. --- Description When two-factor authentication is enabled, the authentication flow...

Authentication Bypass

Astro is vulnerable to an authentication bypass. The vulnerability is due to improper handling of double URL encoding in middleware pathname checks, which allows an unauthenticated attacker to bypass path-based authentication and gain unauthorized access to protected routes...

Authentication Bypass

Astro is vulnerable to Authentication Bypass. The vulnerability is due to inconsistent path normalization between Astro’s routing logic and middleware validation, where routing applies decodeURI but middleware checks context.url.pathname without decoding, allowing attackers to access protected...

CVE-2026-29045 Hono: Arbitrary file access via serveStatic vulnerability

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections e.g. app.use'/admin/', ..., inconsistent URL decoding allowed protected static resources to be accessed without...

CVE-2026-23837

MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication...

CVE-2026-23837 MyTube has an Authorization Bypass vulnerability

MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication...

CVE-2026-23837 MyTube has an Authorization Bypass vulnerability

MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication...

MyTube security vulnerability

MyTube is a video self-hosting downloader and player developed by Peifan Li. Versions of MyTube prior to 1.7.66 contained security vulnerabilities. These vulnerabilities stemmed from the authentication check implemented by roleBasedAuthMiddleware, which could be bypassed, allowing unverified user...

EUVD-2025-205611

Nest has a Fastify URL Encoding Middleware Bypass TOCTOU...

CVE-2025-69211

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

CVE-2025-69211 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

CVE-2025-69211 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

CVE-2025-66202

Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8,...