Lucene search
K

351 matches found

OSV
OSV
added 2026/04/08 12:16 a.m.4 views

GHSA-WMMM-F939-6G9C Hono: Middleware bypass via repeated slashes in serveStatic

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

5.3CVSS5.7AI score0.00459EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/08 12:16 a.m.4 views

EUVD-2026-20493

Hono: Middleware bypass via repeated slashes in serveStatic...

5.3CVSS5.9AI score0.00459EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/08 12:16 a.m.9 views

Hono: Middleware bypass via repeated slashes in serveStatic

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

5.3CVSS5.8AI score0.00459EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/04/08 12:16 a.m.4 views

EUVD-2026-20491

@hono/node-server: Middleware bypass via repeated slashes in serveStatic...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References3
OSV
OSV
added 2026/04/08 12:16 a.m.1 views

GHSA-92PP-H63X-V22M @hono/node-server: Middleware bypass via repeated slashes in serveStatic

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

5.3CVSS5.8AI score0.00376EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/08 12:16 a.m.4 views

Directory Traversal

Overview @hono/node-server is a Node.js Adapter for Hono Affected versions of this package are vulnerable to Directory Traversal due to inconsistent handling of repeated slashes in the serveStatic process. An attacker can access sensitive static files that are intended to be protected by bypassin...

6.9CVSS6.3AI score0.00376EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/08 12:16 a.m.20 views

@hono/node-server: Middleware bypass via repeated slashes in serveStatic

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.5 views

PT-2026-31281

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

5.3CVSS5.8AI score0.00459EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.5 views

PT-2026-31280

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References5
SUSE CVE
SUSE CVE
added 2026/03/28 12:25 a.m.7 views

SUSE CVE-2026-33344

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...

8.1CVSS5.8AI score0.00469EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/27 7:50 p.m.6 views

CVE-2026-33868

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability CWE-601 exists in the /web/ route due to improper handling of URL-encoded path segments. An attacker can craft a specially encode...

4.3CVSS6AI score0.00515EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.2 views

CVE-2026-32004

OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers can bypass plugin route authentication checks by submitti...

8.3CVSS5.8AI score0.00297EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.3 views

CVE-2026-33344

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...

8.1CVSS5.7AI score0.00571EPSS
Exploits2References1
NVD
NVD
added 2026/03/24 8:16 p.m.6 views

CVE-2026-33344

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...

8.1CVSS0.00469EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/24 7:23 p.m.6 views

CVE-2026-33344 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...

8.1CVSS5.7AI score0.00469EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/24 7:23 p.m.33 views

CVE-2026-33344 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...

8.1CVSS0.00469EPSS
Exploits1References2
OSV
OSV
added 2026/03/24 7:23 p.m.7 views

CVE-2026-33344 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...

8.1CVSS6.3AI score0.00469EPSS
Exploits1References4
CVE
CVE
added 2026/03/24 7:23 p.m.15 views

CVE-2026-33344

CVE-2026-33344 affects Dagu (workflow engine). In versions 2.0.0–before 2.3.1, a fix for CVE-2026-27598 patched CreateNewDAG, but API endpoints GET, DELETE, RENAME, and EXECUTE pass {fileName} to locateDAG without ValidateDAGName, allowing path traversal via %2F-encoded slashes in the {fileName} ...

8.1CVSS5.7AI score0.00469EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.12 views

dagu 路径遍历漏洞

Dagu is a workflow engine developed under open source by Dagu Workflow Engine. Versions of Dagu from 2.0.0 to 2.3.1 had a path traversal vulnerability. This vulnerability stemmed from the fact that API endpoints such as GET, DELETE, RENAME, and EXECUTE did not call the ValidateDAGName function. A...

8.1CVSS6.4AI score0.00469EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/23 6:16 p.m.3 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the locateDAG process. An attacker can access arbitrary files by submitting specially crafted requests containing %2F-encoded slashes. Details A Directory Traversal attack also known as path traversal aims to...

8.6CVSS6.5AI score0.00469EPSS
Exploits1References3
Rows per page
Query Builder