CVE-2026-0707

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters such as tabs as separators and tolerates case variations that deviate from RFC 6750 specifications...

CVE-2026-0707 Keycloak: keycloak authorization header parsing leading to potential security control bypass

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters such as tabs as separators and tolerates case variations that deviate from RFC 6750 specifications...

CVE-2026-0707

CVE-2026-0707 affects Keycloak’s Authorization header parser, which is overly permissive with the Bearer scheme. The vulnerability accepts non-standard separators (e.g., tabs) and tolerates case variations that deviate from RFC 6750, enabling potential authentication handling bypasses. Public sou...

PT-2026-1976

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters, such as tabs, as separators...

HTML Injection

mailgen is vulnerable to HTML injection. The vulnerability is due to improper stripping of HTML tags in the generatePlaintext method when Unicode line-separator characters bypass the regex filter, which allows an attacker to inject unexpected HTML that can be interpreted as executable script...

Parameter-parsing Bypass

Rack is vulnerable to a parameter-parsing Bypass. The vulnerability is due to Rack::QueryParser enforcing its paramslimit only for parameters separated by & while still splitting on both & and ;, which allows an attacker to bypass the parameter count limit by using ; separators to submit excessiv...

CVE-2025-62380

mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.31 contain an HTML injection vulnerability in plaintext emails generated with the generatePlaintext method when user generated content is supplied. The plaintext...

CVE-2025-62380

Mailgen (Node.js) versions up to 2.0.31 expose an HTML injection/XSS risk in plaintext output generated by generatePlaintext. The plaintext cleaning code strips HTML tags with a regex, decodes HTML entities, and then replaces decoded content; however, HTML tags containing certain Unicode line sep...

JLSEC-2025-53 xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator chara...

xmlparse.c in Expat aka libexpat before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs...

EUVD-2018-0310

Malware in sbrugna...

EUVD-2021-0186

Malware in sbrugna...

EUVD-2025-31103

Malicious code in bioql PyPI...

EUVD-2022-52461

Malicious code in bioql PyPI...

EUVD-2022-52463

Malicious code in bioql PyPI...

CVE-2025-11233

Starting from Rust 1.87.0 and before Rust 1.89.0, the tier 3 Cygwin target x8664-pc-cygwin didn't correctly handle path separators, causing the standard library's Path API to ignore path components separated by backslashes. Due to this, programs compiled for Cygwin that validate paths could...

CVE-2025-11233

CVE-2025-11233 affects Rust when using the tier 3 Cygwin target (x86_64-pc-cygwin) with Rust 1.87.0 up to 1.88.x. The standard library Path API failed to handle backslash-separated components on Cygwin, potentially enabling path traversal or unsafe filesystem operations. Rust 1.89.0 fixes the iss...

Rust 安全漏洞

Rust is a general-purpose, compiled programming language from the Mozilla Foundation. A security vulnerability exists in Rust version 1.87.0 through versions prior to 1.89.0, which stems from improper handling of path separators and could lead to a path traversal attack or malicious file system...

SUSE CVE-2025-59830

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its paramslimit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters...

CVE-2025-59830 Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its paramslimit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters...

Django: Path traversal via archive.extract - CVE 2021-3281 incomplete patch

A vulnerability was discovered in the "extract" function of the ZipArchive and TarArchive classes in the Django framework. The vulnerability was caused by the use of the "abspath" function, which removes terminating path separators. This made the guard logic protection insufficient to protect...