Lucene search
K

115 matches found

NVD
NVD
added 4 days ago6 views

CVE-2026-13430

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the importmediafilesecure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension...

7.2CVSS0.00615EPSS
Exploits0References7
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42785

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the importmediafilesecure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension...

7.2CVSS6.6AI score0.00615EPSS
Exploits0References7
CVE
CVE
added 4 days ago10 views

CVE-2026-13430

The WordPress plugin Post Export Import with Media (versions up to 1.13.1) is vulnerable to Arbitrary File Upload. The root cause is insufficient file extension validation during ZIP import: the extension allow-list check in ajax_import_media_start() uses pathinfo() on the raw ZIP entry name, so ...

7.2CVSS6.6AI score0.00615EPSS
Exploits0References7
Cvelist
Cvelist
added 4 days ago35 views

CVE-2026-13430 Post Export Import with Media <= 1.13.1 - Authenticated (Administrator+) Arbitrary File Upload via Trailing-Dot Filename Bypass in ZIP Media Import

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the importmediafilesecure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension...

7.2CVSS0.00615EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/07/07 4:27 a.m.5 views

CVE-2026-8924

A flaw was found in curl's cookie parsing logic. A malicious HTTP server can exploit this by setting 'super cookies' that bypass the Public Suffix List check. This allows an attacker-controlled origin to inject cookies that curl then transmits to unrelated third-party domains, leading to...

9.1CVSS5.9AI score0.00649EPSS
Exploits1References6
CVE
CVE
added 2026/07/03 6:15 a.m.24 views

CVE-2026-8924

CVE-2026-8924 – curl cookie parsing flaw. The vulnerability arises from curl’s cookie parsing logic, enabling a malicious HTTP server to set ‘super cookies’ that bypass the Public Suffix List check. This allows an attacker-controlled origin to inject cookies that curl subsequently scopes and tran...

9.1CVSS6AI score0.00649EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/06/19 7:35 p.m.12 views

EUVD-2026-36539

parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist...

2.1CVSS5.8AI score0.00281EPSS
Exploits0References4
OSV
OSV
added 2026/06/19 7:35 p.m.4 views

GHSA-7WQV-XJF3-X35V parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Impact The default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g. poc.svg.. The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the...

2.1CVSS5.8AI score0.00281EPSS
Exploits0References5
NVD
NVD
added 2026/06/16 7:17 p.m.21 views

CVE-2026-53859

OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block throu...

6.5CVSS0.0021EPSS
Exploits0References2
CVE
CVE
added 2026/06/16 6:5 p.m.18 views

CVE-2026-53859

Technical details (affected components, root cause, specific versions, exploitation) are not publicly available in the provided documents. Monitor for updates.

6.5CVSS5.3AI score0.0021EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/16 12:40 p.m.5 views

BIT-PARSE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g. poc.svg...

2.1CVSS5.1AI score0.00281EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.20 views

PT-2026-49776

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.26 Description An issue exists in hostname validation where trailing-dot notation in model or workspace-derived URLs can be used to bypass blocklist comparisons. This occurs because hostname checks treat hosts...

6.5CVSS5.2AI score0.0021EPSS
Exploits0References5
NVD
NVD
added 2026/06/12 7:16 p.m.18 views

CVE-2026-53724

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...

2.1CVSS0.00281EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/12 6:34 p.m.34 views

CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...

2.1CVSS0.00281EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/12 6:34 p.m.13 views

CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...

2.1CVSS5.1AI score0.00281EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 6:34 p.m.33 views

CVE-2026-53724

CVE-2026-53724 – Parse Server Stored XSS (trailing-dot bypass) affects Parse Server prior to versions 8.6.79 and 9.9.1-alpha.4. A trailing dot on a filename bypasses the default file upload extension blocklist by making the extension parser yield an empty string, allowing the attacker-controlled ...

2.1CVSS5.2AI score0.00281EPSS
Exploits0References3
Hacker One
Hacker One
added 2026/06/09 2:20 a.m.19 views

curl: Trailing-Dot Hostname in Redirect Silently Strips Client Certificate and Auth Credentials

Summary When curl follows a redirect where the Location header contains a hostname with a trailing dot e.g., https://example.com./path, Curlpeerequal in peer.c:321-330 compares the original hostname example.com against the redirect target example.com. using curlstrequal, which does not normalize...

5.7CVSS6.6AI score0.01595EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/14 10:35 a.m.41 views

curl: Trailing-dot IPv4 URL bypasses IP-address guard, allows wildcard DNS SAN match

Hi all, Sorry to ruin anybody's day, but we've discovered another issue when it comes to dots. We've found a TLS certificate verification bypass that lets a trailing-dot IPv4 URL -- https://127.0.0.1./ -- pass peer authentication against a wildcard DNS SAN certificate such as DNS:.0.0.1. The IP...

4.3CVSS5.9AI score0.01118EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/13 10:12 p.m.31 views

curl: HSTS multi-trailing-dot bypass-ish: possible incomplete fix for CVE-2022-30115

Hi all, Honestly, I'm not completely certain about this issue, but I think the CVE-2022-30115 fix "HSTS bypass via trailing dot" is incomplete: the same asymmetry exists for hostnames with two or more trailing dots, so http://example.com../ still gets sent in plaintext when there's a valid HSTS...

4.3CVSS6.8AI score0.01118EPSS
Exploits1
Hacker One
Hacker One
added 2026/05/13 9:30 p.m.7 views

curl: CVE-2026-8924: trailing dot domain super cookie

Summary: A PSL-enabled curl build rejects a canonical public suffix cookie such as Domain=co.uk, but accepts the trailing-dot variant Domain=co.uk. when the request host also uses a trailing dot. In the reproduced case, a response from foo.co.uk. sets Set-Cookie: trail=1; Domain=co.uk.; Path=/, a...

9.1CVSS5.8AI score0.00649EPSS
Exploits1
Rows per page
Query Builder