Lucene search
K

15 matches found

Nuclei
Nuclei
added yesterday13 views

Vite Dev Server - Information Exposure

Vite dev server could allow reading files from the Vite project root by bypassing server.fs.deny with double forward-slash paths //. This affects exposed dev servers only. id: CVE-2023-34092 info: name: Vite Dev Server - Information Exposure author: ritikchaddha severity: high description: | Vite...

7.5CVSS7.1AI score0.03152EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/26 4:15 p.m.33 views

CVE-2026-55677 Echo: Encoded slash (%2F) bypasses route-level protection and exposes static files

Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path preserving %2F as-is, while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an...

7.5CVSS0.0043EPSS
Exploits0References1
NVD
NVD
added 2026/06/22 10:16 p.m.8 views

CVE-2026-54281

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated clien...

8.7CVSS0.00285EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/19 8:26 p.m.6 views

CVE-2026-50559

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons %3B to smuggle matrix parameters past the security layer,...

7.5CVSS5.8AI score0.00392EPSS
Exploits1References2Affected Software1
Snyk
Snyk
added 2026/06/15 8:36 p.m.8 views

Incorrect Authorization

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Incorrect Authorization via the MiddlewareConsumer.forRoutes API on the Fastify adapter. An attacker can gain unauthorized access to...

8.7CVSS5.9AI score0.00285EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 8:36 p.m.7 views

Nest: Middleware Bypass on Fastify via Trailing Slash

Impact An authentication bypass vulnerability exists in @nestjs/platform-fastify confirmed on version 11.1.24, the latest available release at time of report. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated client can bypa...

8.7CVSS5.3AI score0.00285EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/27 7:50 p.m.5 views

CVE-2026-33868 Mastodon has a GET-Based Open Redirect via '/web/%2F<domain>'

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability CWE-601 exists in the /web/ route due to improper handling of URL-encoded path segments. An attacker can craft a specially encode...

4.3CVSS6AI score0.00515EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/10 12:8 p.m.2 views

CVE-2026-2742 Unauthorized session creation via reserved framework path access

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without ...

5.3CVSS5.8AI score0.00391EPSS
Exploits0References7
NVD
NVD
added 2026/03/06 6:16 p.m.8 views

CVE-2026-29087

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed...

7.5CVSS0.00327EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/10 12:25 a.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via improper normalization of URL paths in the rules. An attacker can gain unauthorized access to restricted files and perform unauthorized modifications by crafting requests with multiple leading slashes in the...

8.6CVSS5.6AI score0.00461EPSS
Exploits2References2
Tenable Nessus
Tenable Nessus
added 2025/10/07 12:0 a.m.4 views

Grafana < 10.4.17 Improper Authorization

According to its self-reported version, the Grafana install hosted on the remote host is prior to 10.4.17, or 11.2.x prior to 11.2.8, or 11.3.x prior to 11.3.5, or 11.4.x prior to 11.4.3, or 11.5.x prior to 11.5.3. It is, therefore, affected by an improper authorization. - Grafana's datasource...

5CVSS5.4AI score0.00414EPSS
Exploits0References2
OSV
OSV
added 2024/02/20 10:15 a.m.2 views

CVE-2024-25609

HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 service pack 3, 7.2 fix pack 15 through 18, and older unsupported versions can be circumvented by using two forward slashes, which allows remote attackers to...

6.1CVSS5.9AI score0.00355EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2023/06/01 12:0 a.m.2 views

PT-2023-24665

Name of the Vulnerable Software and Affected Versions Vite versions prior to 2.9.16 Vite versions prior to 3.2.7 Vite versions prior to 4.0.5 Vite versions prior to 4.1.5 Vite versions prior to 4.2.3 Vite versions prior to 4.3.9 Description The issue involves a security risk in Vite where the...

7.5CVSS7AI score0.03152EPSS
Exploits1References11
Positive Technologies
Positive Technologies
added 2021/05/28 12:0 a.m.3 views

PT-2021-18253 · Envoy · Envoy

Name of the Vulnerable Software and Affected Versions: Envoy versions 1.18.2 and earlier Description: Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. ...

8.3CVSS8.4AI score0.68383EPSS
Exploits0References6
OSV
OSV
added 2007/07/24 12:30 a.m.1 views

DEBIAN-CVE-2007-3949

modaccess.c in lighttpd 1.4.15 ignores trailing / slash characters in the URL, which allows remote attackers to bypass url.access-deny settings...

8.3CVSS7AI score0.03299EPSS
Exploits0References1
Rows per page
Query Builder