CVE-2026-41428

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint ...

CVE-2026-41062 WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in ReceiveImage downloadURL parameters

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for objects/aVideoEncoderReceiveImage.json.php only checks the URL path component via parseurl$url, PHPURLPATH for .. sequences. However, the downstream function...

GHSA-V2WJ-Q39Q-566R Vite: `server.fs.deny` bypassed with queries

Summary The contents of files that are specified by server.fs.deny can be returned to the browser. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - the sensitive file exists in th...

CVE-2025-30208

CVE-2025-30208 (Vite) : In affected Vite versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10, an attacker can bypass file-access controls via URLs using trailing query markers (e.g., ?raw?? or ?import&raw??), causing arbitrary files to be exposed when the dev server is network-accessible. ...