Lucene search
K

22 matches found

AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.7 views

Astra Linux – Vulnerability in imagemagick

ImageMagick is free and open-source software used for editing and manipulating digital images. Before versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy was enforced on the raw filename string before the filesystem resolved it. As a result, policy rules such as /etc/ could be...

8.6CVSS7.2AI score0.00671EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.9 views

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS5.4AI score0.00483EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/19 9:24 a.m.36 views

CVE-2026-46724 Path Traversal in extension "Faceted Search" (ke_search)

The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences...

5.9CVSS0.00404EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/08 3:43 a.m.51 views

CVE-2026-42274 Heimdall: Authorization bypass via path normalization mismatch

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw non-normalized request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy ca...

7.8CVSS5.7AI score0.00368EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.13 views

PT-2026-33035

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.5 Description An issue exists where the software fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows an unauthenticated...

10CVSS5.2AI score0.00483EPSS
Exploits1References11
Vulnrichment
Vulnrichment
added 2026/04/10 4:3 p.m.3 views

CVE-2026-35668 OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters

OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in...

7.7CVSS5.9AI score0.00382EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/10 4:3 p.m.25 views

CVE-2026-35668 OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters

OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in...

7.7CVSS0.00382EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/26 5:23 p.m.3 views

CVE-2026-33494 Ory Oathkeeper has a path traversal authorization bypass

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences...

10CVSS5.9AI score0.00519EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/26 5:23 p.m.26 views

CVE-2026-33494 Ory Oathkeeper has a path traversal authorization bypass

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences...

10CVSS0.00519EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/26 5:23 p.m.7 views

CVE-2026-33494

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences...

10CVSS5.8AI score0.00519EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/26 5:23 p.m.5 views

CVE-2026-33494 Ory Oathkeeper has a path traversal authorization bypass

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences...

10CVSS6.4AI score0.00519EPSS
Exploits0References4
CNNVD
CNNVD
added 2025/12/19 12:0 a.m.5 views

Takes 安全漏洞

Takes is an object-oriented Java web development framework by the individual developer Yegor Bugayenko. A security vulnerability exists in Takes 2.0-SNAPSHOT and earlier versions, which stems from an un-normalized HTTP request path that could lead to arbitrary file reading...

7.5CVSS6.8AI score0.0051EPSS
Exploits1References3
Veracode
Veracode
added 2025/10/14 10:23 a.m.8 views

Directory Traversal

Internetarchive is vulnerable to Directory traversal. The vulnerability is due to improper sanitization and validation of user-supplied filenames due to File.download accepting unnormalized filenames; an attacker can provide names e.g. ../../../../windows/system32/file.txt to write outside the...

9.4CVSS7AI score0.01402EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/06/23 10:41 p.m.9 views

pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos

Summary This affects both: 1. Unsupported algos e.g. sha3-256 / sha3-512 / sha512-256 2. Supported but non-normalized algos e.g. Sha256 / Sha512 / SHA1 / sha-1 / sha-256 / sha-512 All of those work correctly in Node.js, but this polyfill silently returns highly predictable ouput Under Node.js onl...

9.1CVSS7.1AI score0.00359EPSS
Exploits0References5Affected Software1
Hacker One
Hacker One
added 2025/06/08 2:54 p.m.7 views

Omise: Cache Pollution via Unkeyed GET Parameters on www.omise.co

The CDN serving the website appeared to cache pages based on the full URL, including arbitrary query parameters, without normalizing or properly keying them. This behavior resulted in cache pollution, where the cache was filled with redundant versions of the same page...

5.8AI score
Exploits0
CNNVD
CNNVD
added 2025/03/20 12:0 a.m.5 views

Aim 安全漏洞

Aim is an easy-to-use and high-performance open source experiment tracker from Aim Open Source USA. A security vulnerability exists in the bb76afe version of Aim, which stems from the LockManager.releaselocks function not normalizing user-controllable parameters, which could lead to arbitrary fil...

9.1CVSS9AI score0.00849EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2024/06/03 3:16 p.m.17 views

CVE-2024-32983 Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities

Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the author...

8.2CVSS6.7AI score0.004EPSS
Exploits1References2
CNNVD
CNNVD
added 2021/11/04 12:0 a.m.5 views

Jenkins 后置链接漏洞

Jenkins is a Jenkins open source application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying and automating any project. Jenkins suffers from a backlink vulnerability that stems from an unnormalized path in the file path filter in the...

8.1CVSS7.5AI score0.01911EPSS
Exploits0References17
RedHat Linux
RedHat Linux
added 2019/04/10 8:29 p.m.3 views

istio/envoy: Path traversal via URL Patch manipulation in HTTP/1.x header

A flaw was found in Envoy version 1.9.0 and older, where Envoy does not normalize HTTP URL paths. This flaw allows a remote attacker to craft a path with a relative path and to bypass access control. This issue results in a backend server with the ability to interpret the unnormalized path...

10CVSS5.8AI score0.0268EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2018/11/13 6:20 p.m.2 views

keycloak: Open Redirect in Login and Logout

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack...

6.1CVSS5.7AI score0.01097EPSS
Exploits0References4
Rows per page
Query Builder