Lucene search
K

11 matches found

Cvelist
Cvelist
added 2026/06/26 4:15 p.m.33 views

CVE-2026-55677 Echo: Encoded slash (%2F) bypasses route-level protection and exposes static files

Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path preserving %2F as-is, while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an...

7.5CVSS0.0043EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 4:15 p.m.14 views

CVE-2026-55677

Echo (Go framework) prior to 4.15.3 and 5.2.0 has a router vs static file handler decoding mismatch: the router uses the raw encoded path while StaticDirectoryHandler unescapes %2F to /, enabling bypass of route-level access controls to read static files without authorization. The vulnerability i...

7.5CVSS5.8AI score0.0043EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/24 9:4 p.m.31 views

CVE-2026-41248 Official Clerk JavaScript SDKs: Middleware-based route protection bypass

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in...

9.1CVSS0.00323EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/24 9:4 p.m.5 views

CVE-2026-41248 Official Clerk JavaScript SDKs: Middleware-based route protection bypass

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in...

9.1CVSS5.2AI score0.00323EPSS
Exploits0References1
CVE
CVE
added 2026/04/24 9:4 p.m.65 views

CVE-2026-41248

The CVE-2026-41248 affects Clerk JavaScript repositories: createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by crafted requests, bypassing middleware gating and reaching downstream handlers. Affected fixes are: @clerk/astro 1.5.7, 2.17.10, 3.0.15; @clerk/nextjs 5....

9.1CVSS5.3AI score0.00323EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/08 2:34 p.m.5 views

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.4 views

PT-2026-23096

Name of the Vulnerable Software and Affected Versions @hono/node-server versions prior to 1.19.10 Description @hono/node-server allows running the Hono application on Node.js. When using static file serving with route-based middleware protections, inconsistent URL decoding can allow protected...

7.5CVSS5.8AI score0.00327EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.5 views

PT-2026-23075

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.4 Description Hono is a Web application framework supporting various JavaScript runtimes. An inconsistency in URL decoding between the router decodeURI and serveStatic decodeURIComponent allowed protected static...

9.8CVSS5.9AI score0.00437EPSS
Exploits0References176
CVE
CVE
added 2026/01/19 3:24 p.m.16 views

CVE-2026-22031

CVE-2026-22031 affects the Fastify middleware plugin @fastify/middie (prior to 9.1.0). A vulnerability allows bypassing a middleware registered with a path prefix by using URL-encoded paths (e.g., /%61dmin). The middie engine uses path-to-regexp for matching; the regex is applied to the undecoded...

8.8CVSS5.5AI score0.00457EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2025/05/15 8:0 p.m.18 views

GO-2025-3672 goshs route not protected, allows command execution in github.com/patrickhener/goshs

goshs route not protected, allows command execution in github.com/patrickhener/goshs...

9.4CVSS6.9AI score0.00605EPSS
Exploits0References3
OSV
OSV
added 2024/02/29 6:15 a.m.1 views

UBUNTU-CVE-2023-52483

In the Linux kernel, the following vulnerability has been resolved: mctp: perform route lookups under a RCU read-side lock Our current route lookups mctproutelookup and mctproutelookupnull traverse the net's route list without the RCU read lock held. This means the route lookup is subject to...

7.8CVSS5.9AI score0.00231EPSS
Exploits0References3
Rows per page
Query Builder