DEBIAN-CVE-2026-49342

YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joine...

CVE-2026-49342 YARD static cache reads raw traversal paths before router sanitization

YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joine...

SUSE-SU-2026:1964-1 Security update for rmt-server

This update for rmt-server fixes the following issues - CVE-2026-26961: rack: mismatch in header handling can allow to smuggle multipart content bsc1261398. - CVE-2026-26962: rack: improper unfolding of folded multipart headers can lead to header injection or response splitting bsc1261471. -...

GHSA-PR96-94W5-MX2H @fastify/static vulnerable to path traversal in directory listing

Impact @fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path to resolve a directory outside the root via path.join without a containment check. A remote...

CVE-2025-57175

Siklu EtherHaul 8010 siklu-uimage-nxp-enc-1062-18707-ea552dc00b devices have a static root password...

EUVD-2025-209317

Siklu EtherHaul 8010 siklu-uimage-nxp-enc-1062-18707-ea552dc00b devices have a static root password...

CVE-2025-57175

Siklu EtherHaul 8010 siklu-uimage-nxp-enc-1062-18707-ea552dc00b devices have a static root password...

CVE-2025-57175

CVE-2025-57175 affects Siklu EtherHaul 8010 devices (image siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b). The root cause is a static root password present in the affected firmware image. Impact is stated as high confidentiality/integrity/availability (per CVSS) with physical attack vector and hig...

CVE-2025-57175

Siklu EtherHaul 8010 siklu-uimage-nxp-enc-1062-18707-ea552dc00b devices have a static root password...

CVE-2025-57175

Siklu EtherHaul 8010 siklu-uimage-nxp-enc-1062-18707-ea552dc00b devices have a static root password...

Siklu EtherHaul 安全漏洞

Siklu EtherHaul is a series of millimeter-wave wireless transmission devices developed by Siklu Corporation. The Siklu EtherHaul 8010 siklu-uimage-nxp-enc-1062-18707-ea552dc00b version contains a security vulnerability, which stems from the presence of a static root password...

GHSA-H2JQ-G4CQ-5PPQ Rack::Static prefix matching can expose unintended files under the static root

Summary Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or...

Rack::Static prefix matching can expose unintended files under the static root

Summary Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or...

PT-2026-29915

Summary Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or...

Rack::Static prefix matching can expose unintended files under the static root

Summary Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or...

@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware

Summary When using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes %2F may be...

GHSA-Q5QW-H33P-QVWR Hono vulnerable to arbitrary file access via serveStatic vulnerability

Summary When using serveStatic together with route-based middleware protections e.g. app.use'/admin/', ..., inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowe...

CVE-2026-25766

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...

CVE-2026-25766 Echo has a Windows path traversal via backslash in middleware.Static default filesystem

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo’s middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...

CVE-2026-25766

The CVE-2026-25766 issue affects Echo (github.com/labstack/echo/v5) on Windows, where middleware.Static uses the default filesystem and path.Clean does not treat backslashes as separators. This lets an unauthenticated attacker read files outside the static root by crafting a path that includes se...