Lucene search
K

277 matches found

CVE
CVE
added yesterday9 views

CVE-2026-8384

CVE-2026-8384 describes a URI normalization issue in the context of Eclipse Jetty: a crafted HTTP URI like "/public;/../admin/secret.txt" yields an unresolved path "/public/../admin/secret.txt" instead of the expected "/admin/secret.txt". Jetty itself remains unaffected, since it won’t serve secr...

5.3CVSS6.1AI score0.00191EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added yesterday15 views

CVE-2026-8384

In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker only...

5.3CVSS0.00191EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday17 views

Scoold < 1.64.0 - Authentication Bypass

Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT...

8.7CVSS6AI score0.01008EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-56813 Cookie attribute injection in Plug.Conn.Cookies.encode/2

Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes. The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value a...

2.1CVSS0.00146EPSS
Exploits0References4
EUVD
EUVD
added 5 days ago8 views

EUVD-2026-42876

Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes. The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value a...

2.1CVSS6.1AI score0.00146EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/07/02 12:3 a.m.5 views

io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests

A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected...

8.8CVSS6AI score0.00444EPSS
Exploits0References5
NVD
NVD
added 2026/06/26 1:16 p.m.7 views

CVE-2026-57920

Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/orgId endpoints...

7.7CVSS0.0022EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/26 12:20 p.m.36 views

CVE-2026-57920

Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/orgId endpoints...

7.7CVSS0.0022EPSS
Exploits1References1
OSV
OSV
added 2026/06/26 7:58 a.m.2 views

SUSE-SU-2026:22372-1 Security update for python-python-multipart

This update for python-python-multipart fixes the following issues - CVE-2026-53537: multipart/form-data with extended parameters can lead to file or parameter smuggling bsc1268506. - CVE-2026-53538: urlencoded requests containing semicolons can lead to form field smuggling bsc1268496. -...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.15 views

PT-2026-52699

Name of the Vulnerable Software and Affected Versions Peplink InControl 2 versions 2 through 2.14.2 Description An access control bypass exists in certain /rest/o/orgId endpoints. This issue allows the use of a semicolon to circumvent established access-control rules. Recommendations Update Pepli...

7.7CVSS5.9AI score0.0022EPSS
Exploits1References6
NVD
NVD
added 2026/06/22 6:16 p.m.17 views

CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS0.00176EPSS
Exploits0References1
NVD
NVD
added 2026/06/22 6:16 p.m.42 views

CVE-2026-53539

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

7.5CVSS0.00263EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 4:56 p.m.41 views

CVE-2026-53538 Python-Multipart: Semicolon treated as querystring field separator enables parameter smuggling

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS0.00176EPSS
Exploits0References1
CVE
CVE
added 2026/06/22 4:56 p.m.43 views

CVE-2026-53538

CVE-2026-53538 affects python-multipart, a streaming multipart parser for Python. Prior to 0.0.30, the QuerystringParser treated ";" as a field separator in application/x-www-form-urlencoded bodies in addition to "&", creating a parsing differential against WHATWG/urllib.parse behavior that only ...

3.7CVSS5.8AI score0.00176EPSS
Exploits0References1Affected Software1
Debian CVE
Debian CVE
added 2026/06/22 4:56 p.m.6 views

CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS5.9AI score0.00176EPSS
Exploits0
OSV
OSV
added 2026/06/22 4:56 p.m.2 views

CVE-2026-53538 Python-Multipart: Semicolon treated as querystring field separator enables parameter smuggling

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS5.9AI score0.00176EPSS
Exploits0References3
OSV
OSV
added 2026/06/22 4:55 p.m.2 views

CVE-2026-53539 Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

7.5CVSS6.2AI score0.00263EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/22 4:55 p.m.9 views

CVE-2026-53539

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

7.5CVSS6.1AI score0.00263EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/22 4:55 p.m.113 views

CVE-2026-53539

CVE-2026-53539 (Python-Multipart) affects the Python-Multipart streaming multipart parser. Prior to 0.0.30, parsing application/x-www-form-urlencoded bodies used a two-step field separator lookup, causing an O(B^2) worst-case workload per chunk when semicolon is used as the separator and no amper...

7.5CVSS6.1AI score0.00263EPSS
Exploits0References1Affected Software1
Debian CVE
Debian CVE
added 2026/06/22 4:55 p.m.7 views

CVE-2026-53539

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

7.5CVSS6.1AI score0.00263EPSS
Exploits0
Rows per page
Query Builder