Lucene search
K

37 matches found

Vulnrichment
Vulnrichment
added 2026/03/31 4:56 p.m.1 views

CVE-2026-34361 HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith...

9.3CVSS5.8AI score0.00299EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/31 4:56 p.m.26 views

CVE-2026-34361 HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith...

9.3CVSS0.00299EPSS
Exploits1References1
OSV
OSV
added 2026/03/26 6:55 p.m.2 views

GHSA-44FC-8FM5-Q62H Convict has Prototype Pollution via startsWith() function

Summary A prototype pollution vulnerability exists in the latest version of the convict npm package 6.2.4. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a...

9.4CVSS6.4AI score0.0084EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/26 12:0 a.m.5 views

PT-2026-28540

Name of the Vulnerable Software and Affected Versions convict versions 6.2.4 Description A prototype pollution issue exists in the convict npm package. The issue stems from an incomplete fix that attempted to prevent prototype pollution by checking if user input begins with a prohibited key...

9.4CVSS6.5AI score0.0084EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/02/21 12:0 a.m.11 views

Feathers 访问控制错误漏洞

Feathers is a lightweight web framework developed by Feathers OpenSource. It is used to create APIs and real-time applications using TypeScript or JavaScript. Feathers versions 5.0.39 and earlier have a security vulnerability related to access control. This vulnerability stems from the use of the...

8.1CVSS5.8AI score0.0024EPSS
Exploits0References3
NVD
NVD
added 2026/02/03 9:16 p.m.18 views

CVE-2026-24052

Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith function to validate trusted domains e.g., docs.python.org,...

7.4CVSS0.00338EPSS
Exploits0References1
CNVD
CNVD
added 2025/06/17 12:0 a.m.2 views

School Fees Payment System ajx.php File SQL Injection Vulnerability

School Fees Payment System is a tuition payment system. The School Fees Payment System suffers from a SQL injection vulnerability that originates from a lack of validation of externally-entered SQL statements in the parameter namestartsWith in the file /ajx.php. An attacker can exploit this...

8.8CVSS8.2AI score0.0049EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 3:19 p.m.6 views

CVE-2020-21526

An Arbitrary file writing vulnerability in halo v1.1.3. In an interface to write files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it...

9.8CVSS6.9AI score0.0189EPSS
Exploits1
Prion
Prion
added 2023/03/06 5:15 a.m.17 views

Directory traversal

All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith method in the servePath function...

5CVSS7.5AI score0.01445EPSS
Exploits1References4
CNNVD
CNNVD
added 2023/03/06 12:0 a.m.5 views

node-static 路径遍历漏洞

node-static is an rfc 2616 compliant HTTP static file server module with built-in caching. A security vulnerability exists in node-static due to improper file path cleanup in the startsWith method of the servePath function...

7.5CVSS7.3AI score0.01445EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2022/05/16 4:26 a.m.65 views

CVE-2022-21190

This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's...

9.8CVSS2.7AI score0.03802EPSS
Exploits2References3
Github Security Blog
Github Security Blog
added 2022/05/14 12:1 a.m.49 views

Prototype Pollution in convict

This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's...

9.8CVSS2.9AI score0.03802EPSS
Exploits1References7Affected Software1
Prion
Prion
added 2022/05/13 8:15 p.m.24 views

Design/Logic Flaw

This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's...

7.5CVSS9.4AI score0.03802EPSS
Exploits2References5Affected Software1
NVD
NVD
added 2020/09/30 6:15 p.m.33 views

CVE-2020-21525

Halo V1.1.3 is affected by: Arbitrary File reading. In an interface that reads files in halo v1.1.3, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it...

7.5CVSS0.01917EPSS
Exploits1References1
Prion
Prion
added 2020/09/30 6:15 p.m.16 views

Directory traversal

An Arbitrary file writing vulnerability in halo v1.1.3. In an interface to write files in the background, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it...

7.5CVSS9.3AI score0.0189EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2020/09/30 2:38 p.m.32 views

CVE-2020-21525

Halo V1.1.3 is affected by: Arbitrary File reading. In an interface that reads files in halo v1.1.3, a directory traversal check is performed on the input path parameter, but the startsWith function can be used to bypass it...

7.5AI score0.01917EPSS
Exploits1References1
Atlassian
Atlassian
added 2007/07/19 12:56 p.m.24 views

XSS vulnerability in app/pages/listpages-alphaview.action

Description: XSS via the "startsWith" field in pages/listpages-alphaview.action. Exploit: noformathttp://app/pages/listpages-alphaview.action?key=&startsWith=xss:alertdocument.cookienoformat...

0.7AI score
Exploits0
Rows per page
Query Builder