351 matches found
GHSA-WMMM-F939-6G9C Hono: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
EUVD-2026-20493
Hono: Middleware bypass via repeated slashes in serveStatic...
Hono: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
EUVD-2026-20491
@hono/node-server: Middleware bypass via repeated slashes in serveStatic...
GHSA-92PP-H63X-V22M @hono/node-server: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
Directory Traversal
Overview @hono/node-server is a Node.js Adapter for Hono Affected versions of this package are vulnerable to Directory Traversal due to inconsistent handling of repeated slashes in the serveStatic process. An attacker can access sensitive static files that are intended to be protected by bypassin...
@hono/node-server: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
PT-2026-31281
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
PT-2026-31280
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
SUSE CVE-2026-33344
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...
CVE-2026-33868
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.8, 4.4.15, and 4.3.21, an unauthenticated Open Redirect vulnerability CWE-601 exists in the /web/ route due to improper handling of URL-encoded path segments. An attacker can craft a specially encode...
CVE-2026-32004
OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers can bypass plugin route authentication checks by submitti...
CVE-2026-33344
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...
CVE-2026-33344
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...
CVE-2026-33344 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...
CVE-2026-33344 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...
CVE-2026-33344 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...
CVE-2026-33344
CVE-2026-33344 affects Dagu (workflow engine). In versions 2.0.0–before 2.3.1, a fix for CVE-2026-27598 patched CreateNewDAG, but API endpoints GET, DELETE, RENAME, and EXECUTE pass {fileName} to locateDAG without ValidateDAGName, allowing path traversal via %2F-encoded slashes in the {fileName} ...
dagu 路径遍历漏洞
Dagu is a workflow engine developed under open source by Dagu Workflow Engine. Versions of Dagu from 2.0.0 to 2.3.1 had a path traversal vulnerability. This vulnerability stemmed from the fact that API endpoints such as GET, DELETE, RENAME, and EXECUTE did not call the ValidateDAGName function. A...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the locateDAG process. An attacker can access arbitrary files by submitting specially crafted requests containing %2F-encoded slashes. Details A Directory Traversal attack also known as path traversal aims to...