194 matches found
CVE-2026-58467 Cockpit CMS 2.14.0 - Path Traversal Local File Inclusion via index.php
Cockpit CMS through 2.14.0 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATHINFO derived from REQUESTURI in filesystem path construction without containment checks...
CVE-2026-58467
Cockpit CMS prior to release 364 is affected by a path traversal and local file inclusion vulnerability. Unauthenticated attackers can craft a request (via the URL’s PATH_INFO in REQUEST_URI) to reach arbitrary files; if the resolved path ends with .php, it may be passed to include(), enabling lo...
CVE-2026-7828
UltraVNC repeater up to version 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, win_log() allocates memory with malloc(sizeof(struct LIST) + strlen(line)); if strlen(line) is large, the size overflows to a value smaller than sizeof(struct ...
CVE-2026-7828 UltraVNC repeater integer overflow in win_log malloc leading to heap overflow
UltraVNC repeater through 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, the winlog function allocates list nodes via mallocsizeofstruct LIST + strlenline, where line is derived from HTTP request URIs. If strlenline is sufficiently large,...
GHSA-9C54-X2G4-V92J Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality
Impact An unauthenticated remote attacker can trigger unbounded memory growth on the timestamp authority server. This vulnerability exists because the global wrapMetrics middleware records the raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency a...
CVE-2026-54282
A flaw was found in Starlette, a lightweight Asynchronous Server Gateway Interface ASGI framework. Prior to version 1.3.0, the HTTP request path was not properly validated when reconstructing the request.url. A remote attacker could craft a malicious HTTP request path that does not begin with a...
keycloak-policy-enforcer: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...
CVE-2026-9800 Keycloak-policy-enforcer: keycloak policy enforcer: authorization bypass via incorrect uri comparison
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...
Splunk SOAR 安全漏洞
Splunk SOAR is a security orchestration, automation, and response platform provided by Splunk Inc. Versions of Splunk SOAR prior to 8.5.0 contained a security vulnerability. This vulnerability stemmed from SOAR failing to strip control characters from the HTTP request path before writing...
CVE-2026-41008 Spring Security Authorization Server Open Redirect via request_uri
Spring Security Authorization Server's authorization endpoint performs insufficient validation of the requesturi parameter. An attacker can craft a malicious authorization request containing an invalid requesturi and an arbitrary, unvalidated redirecturi, which can lead to an Open Redirect...
CVE-2026-39170
SemCms 5.0 is vulnerable to Cross Site Request Forgery CSRF via crafted POST request to /admin/semcmsuser.php...
GHSA-W342-MJ6G-V9C4 Klever-Go KVM: Hash-array amplification in P2P resolver request handling
Summary A connected peer can send a compressed RequestDataTypeHashArrayType direct request that is only 442 bytes on the wire but expands into 200000 decoded hash entries inside the resolver path. On klever-go v1.7.17, this allows remote memory and CPU amplification against nodes that accept P2P...
CVE-2026-9658
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost:...
CVE-2026-9658 Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost:...
Heimdall 安全漏洞
Heimdall is an open-source application panel and launcher developed by LinuxServer.io. Versions of Heimdall prior to 0.17.14 contained security vulnerabilities. These vulnerabilities stemmed from the use of the original request path for rule matching. Downstream components might normalize the que...
CoreDNS DoH GET path missing size validation causes CPU and memory amplification
...
GHSA-63CW-R7XF-JMWR CoreDNS DoH GET oversized dns= query parameter causes pre-validation CPU and memory amplification
Summary CoreDNS's DNS-over-HTTPS DoH GET path accepts oversized dns= query values and performs substantial request parsing, query unescaping, base64 decoding, and message unpacking work before returning 400 Bad Request. A remote, unauthenticated attacker can repeatedly send oversized DoH GET...
SourceCodester Pharmacy Sales and Inventory System 注入漏洞
SourceCodester Pharmacy Sales and Inventory System is an open-source medication sales and inventory management system developed by SourceCodester. Version 1.0 of the SourceCodester Pharmacy Sales and Inventory System has a SQL injection vulnerability, which stems from the handling of parameter ID...
CVE-2026-40878 mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...
mailcow: dockerized 跨站脚本漏洞
mailcow: dockerized is a Dockerized version of the mailcow open-source application. Versions before 2026-03b of mailcow had a cross-site scripting vulnerability. This vulnerability stemmed from the Web interface passing the original $SERVERREQUESTURI as a global template variable to Twig, and...