Lucene search
K

351 matches found

Cvelist
Cvelist
added 6 days ago38 views

CVE-2026-48618

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under...

7.7CVSS0.00674EPSS
Exploits0References1
Debian CVE
Debian CVE
added 6 days ago7 views

CVE-2026-48618

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under...

7.7CVSS6.7AI score0.00674EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.7 views

PT-2026-52129

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.31 Description Locale-dependent decimal formatting in the rrdtool function update function can lead to the corruption of RRDtool metric values. The function validates metric values using is numeric and incorporates...

2.9CVSS5.8AI score0.00104EPSS
Exploits0References5
NVD
NVD
added 2026/06/23 6:18 p.m.7 views

CVE-2026-52844

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/, but fileserver later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy...

7.5CVSS0.00409EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/23 4:45 p.m.33 views

CVE-2026-54014 Open WebUI: Sibling-Prefix Path Traversal via /cache/{path} in open-webui/open-webui

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache...

4.3CVSS0.00244EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2026/06/23 12:0 a.m.4 views

Linux Distros Unpatched Vulnerability : CVE-2026-53538

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in...

5.9CVSS6.8AI score0.35963EPSS
Exploits1References3
OSV
OSV
added 2026/06/22 6:16 p.m.3 views

DEBIAN-CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS5.9AI score0.00176EPSS
Exploits0References1
NVD
NVD
added 2026/06/22 6:16 p.m.16 views

CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS0.00176EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 4:56 p.m.34 views

CVE-2026-53538 Python-Multipart: Semicolon treated as querystring field separator enables parameter smuggling

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS0.00176EPSS
Exploits0References1
CVE
CVE
added 2026/06/22 4:56 p.m.24 views

CVE-2026-53538

CVE-2026-53538 affects python-multipart, a streaming multipart parser for Python. Prior to 0.0.30, the QuerystringParser treated ";" as a field separator in application/x-www-form-urlencoded bodies in addition to "&", creating a parsing differential against WHATWG/urllib.parse behavior that only ...

3.7CVSS5.8AI score0.00176EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/22 4:56 p.m.8 views

CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS5.8AI score0.00176EPSS
Exploits0References2Affected Software1
Debian CVE
Debian CVE
added 2026/06/22 4:56 p.m.5 views

CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS5.9AI score0.00176EPSS
Exploits0
Cvelist
Cvelist
added 2026/06/22 4:55 p.m.31 views

CVE-2026-53539 Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

7.5CVSS0.00263EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerabilities in Firefox, Thunderbird, Expat, LibXMLTok

In xmlparse.c within Expat also known as libexpat, prior to version 2.4.5, attackers could insert namespace-separator characters into namespace URIs...

9.8CVSS7.1AI score0.34174EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in node-glob-parent

This affects the glob-parent package before version 5.1.2. The enclosure regex used to check for strings ending with an enclosure containing a path separator is affected...

7.5CVSS8AI score0.04456EPSS
Exploits1References1
OSV
OSV
added 2026/06/18 1:49 p.m.4 views

SUSE-SU-2026:2453-1 Security update for java-1_8_0-ibm

This update for java-180-ibm fixes the following issues - CVE-2026-22007: APIs in the specified component can lead to an unauthorized read access bsc1262490. - CVE-2026-22013: unauthenticated attacker with network access can access to critical data bsc1262494. - CVE-2026-22016: APIs in the...

9.8CVSS5.9AI score0.00702EPSS
Exploits0References16
Github Security Blog
Github Security Blog
added 2026/06/17 2:16 p.m.13 views

Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}

Summary A path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete startswith containment check that lacks a trailing path separator...

4.3CVSS5.3AI score0.00244EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.13 views

PT-2026-50486

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description A path traversal issue exists in the cache file serving endpoint '/cache/path:path' that allows authenticated users with the role of user or admin to read files from sibling directories outside th...

4.3CVSS5.9AI score0.00244EPSS
Exploits1References6
NVD
NVD
added 2026/06/15 10:16 p.m.14 views

CVE-2026-48713

Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input. Backend.writeFile splits each queued missing-key string on the configured...

9.1CVSS0.00419EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 8:22 p.m.31 views

python-multipart: Semicolon treated as querystring field separator enables parameter smuggling

Summary QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only & as a separator. This creates a parser differential: the same bytes...

5.9CVSS5.5AI score0.35963EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder