1096 matches found
CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...
CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...
CVE-2026-39406
The CVE concerns @hono/node-server where a path handling inconsistency in serveStatic allows bypassing route-based middleware via repeated slashes (//) in the request path. Before version 1.19.13, the router may not match paths containing repeated slashes (e.g., /admin/*) while serveStatic resolv...
CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...
brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion
A flaw was found in the brace-expansion component. This denial of service DoS vulnerability allows a remote attacker to provide specially crafted input containing repeated numeric brace ranges. This input causes the library to attempt an unbounded expansion, consuming excessive CPU and memory...
CLSA-2026-1775649722 libxml2: Fix of 6 CVEs
CVE-2024-34459: fix buffer over-read in xmlHTMLPrintFileContext in xmllint - CVE-2025-8732: fix stack overflow from self-referencing SGML CATALOG entries - CVE-2026-0989: add RelaxNG include recursion limit - CVE-2026-0990: prevent infinite recursion in xmlCatalogListXMLResolveURI -...
EUVD-2026-20493
Hono: Middleware bypass via repeated slashes in serveStatic...
Hono: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
GHSA-WMMM-F939-6G9C Hono: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
Directory Traversal
Overview @hono/node-server is a Node.js Adapter for Hono Affected versions of this package are vulnerable to Directory Traversal due to inconsistent handling of repeated slashes in the serveStatic process. An attacker can access sensitive static files that are intended to be protected by bypassin...
@hono/node-server: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
EUVD-2026-20491
@hono/node-server: Middleware bypass via repeated slashes in serveStatic...
GHSA-92PP-H63X-V22M @hono/node-server: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
PT-2026-31280
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
PT-2026-31281
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
Uncontrolled Resource Consumption
github.com/containerd/containerd is vulnerable to uncontrolled resource consumption. The vulnerability is due to goroutine leaks in the attach mechanism, which allows an attacker to exhaust host memory by repeatedly initiating attach requests...
CVE-2018-25234 SmartFTP Client 9.0.2615.0 Denial of Service via Host Field
SmartFTP Client 9.0.2615.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can paste a buffer of 300 repeated characters into the Host connection parameter to trigger an applicatio...
CVE-2018-25234
CVE-2018-25234 affects SmartFTP Client 9.0.2615.0. The vulnerability is a local denial-of-service caused by supplying an excessively long string in the Host field, with demonstrations using a buffer of 300 repeated characters to trigger an application crash. The connected documents confirm the pr...
EUVD-2026-14565
OpenClaw before 2026.3.1 contains an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger memory exhaustion by varying query strings. Attackers can send repeated requests with different query parameters to the same webhook route,...
EUVD-2019-19990
Blob Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Attackers can create a text file with a large buffer of repeated characters and trigger the application to read it, causin...