Lucene search
K

123 matches found

RedhatCVE
RedhatCVE
added 2026/01/09 8:59 a.m.8 views

CVE-2023-49799

nuxt-api-party is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression ^https?://, however this regular expression can be bypassed by ...

7.5CVSS6.8AI score0.00819EPSS
Exploits1References1
RedHat Linux
RedHat Linux
added 2026/01/08 7:23 a.m.10 views

tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE

A directory traversal vulnerability in Apache Tomcat caused by improper URL normalization during request rewriting. When specific rewrite rules are used, an attacker could craft a malicious request to bypass access restrictions and reach protected directories such as /WEB-INF/ or /META-INF/. If...

7.5CVSS7.7AI score0.66535EPSS
Exploits4References6
Github Security Blog
Github Security Blog
added 2025/12/16 9:22 p.m.11 views

Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

Summary An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs e.g., by collapsing multiple slashes, this can allow bypasses of disabledPaths and path-based rate limits. Details Better Auth...

7AI score
Exploits0References2Affected Software1
OSV
OSV
added 2025/12/16 9:22 p.m.5 views

GHSA-X732-6J76-QMHM Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

Summary An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs e.g., by collapsing multiple slashes, this can allow bypasses of disabledPaths and path-based rate limits. Details Better Auth...

8.6CVSS5.9AI score
Exploits0References2
OSV
OSV
added 2025/12/16 4:37 p.m.5 views

CLSA-2025-1765903038 tomcat: Fix of CVE-2025-55752

CVE-2025-55752: fix relative path traversal vulnerability by normalizing rewritten URLs before decoding to prevent bypassing security constraints and potential remote code execution via PUT requests...

7.5CVSS7.9AI score0.66535EPSS
Exploits4References1
RedHat Linux
RedHat Linux
added 2025/12/10 5:45 p.m.6 views

tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE

A directory traversal vulnerability in Apache Tomcat caused by improper URL normalization during request rewriting. When specific rewrite rules are used, an attacker could craft a malicious request to bypass access restrictions and reach protected directories such as /WEB-INF/ or /META-INF/. If...

7.5CVSS7.7AI score0.66535EPSS
Exploits4References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2022-2233

Malicious code in bioql PyPI...

6.1CVSS6.5AI score0.01097EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2024/03/25 8:0 p.m.19 views

CVE-2024-28246 KaTeX is missing normalization of the protocol in URLs allows bypassing forbidden protocols

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow fo...

5.5CVSS7.2AI score0.00406EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2024/03/21 6:59 p.m.49 views

Path traversal in webpack-dev-middleware

Summary The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. Details The middleware can either work with the physical filesystem when reading the files or it can...

7.5CVSS6.4AI score0.01199EPSS
Exploits1References11Affected Software1
Broadcom
Broadcom
added 2023/08/01 12:0 a.m.72 views

Apache httpd URL normalization inconsistency

A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes '/', directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing wi...

5.3CVSS6.1AI score0.1786EPSS
Exploits0Affected Software1
Prion
Prion
added 2023/06/21 8:15 p.m.14 views

Code injection

The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service ReDos via a crafted URL to lib.rs...

5CVSS7.4AI score0.01212EPSS
Exploits1References3Affected Software1
Prion
Prion
added 2023/06/12 1:15 p.m.20 views

Code injection

The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service ReDos via a crafted URL to normalizeurl in lib.rs, a similar issue to CVE-2023-32758 Python...

5CVSS7.4AI score0.01033EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2023/05/29 9:7 a.m.11 views

CVE-2023-2808 Lack of URL normalization allows rendering previews for disallowed domains

Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link...

4.3CVSS6.8AI score0.00408EPSS
Exploits0References1
Cvelist
Cvelist
added 2023/05/29 9:7 a.m.24 views

CVE-2023-2808 Lack of URL normalization allows rendering previews for disallowed domains

Mattermost fails to normalize UTF confusable characters when determining if a preview should be generated for a hyperlink, allowing an attacker to trigger link preview on a disallowed domain using a specially crafted link...

4.3CVSS5.5AI score0.00408EPSS
Exploits0References1
OSV
OSV
added 2022/07/27 8:26 p.m.33 views

GO-2022-0355 Path traversal in github.com/valyala/fasthttp

The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory. URL path normalization does not handle Windows path separators backslashes, permitting an attacker to construct requests with relative pat...

7.5CVSS7.4AI score0.02457EPSS
Exploits1References4
RedHat Linux
RedHat Linux
added 2021/12/16 5:21 p.m.6 views

nodejs-normalize-url: ReDoS for data URLs

A flaw was found in normalize-url. Node.js has a ReDoS regular expression denial of service issue because it has exponential performance for data...

7.5CVSS7.3AI score0.01705EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2021/11/10 5:14 p.m.5 views

JBCS: URL normalization issue with dot-dot-semicolon(s) leads to information disclosure

A flaw was found in Red Hat JBoss Core Services HTTP Server in all versions, where it does not properly normalize the path component of a request URL contains dot-dot-semicolons. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest...

4.8CVSS5.8AI score0.00472EPSS
Exploits0References4
OpenVAS
OpenVAS
added 2021/06/09 12:0 a.m.22 views

SUSE: Security Advisory (SUSE-SU-2020:14287-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

8.1CVSS7.2AI score0.04903EPSS
Exploits0References5
Hacker One
Hacker One
added 2021/02/13 3:32 p.m.20 views

Slack: Lack of URL normalization renders Blocked-Previews feature ineffectual

Slack has a feature known as Blocked Previewsblocked-previews, which allows Workspace Owners and Admins to specify a list of URLs for which no link preview should occur. The point of this feature is to reduce clutter and prevent harmful content from getting embedded in the workspace. However, whe...

0.7AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2021/01/29 12:0 a.m.49 views

CentOS 8 : httpd:2.4 (CESA-2019:3436)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:3436 advisory. - httpd: modauthdigest: access control bypass due to race condition CVE-2019-0217 - httpd: URL normalization inconsistency CVE-2019-0220 Note that Ness...

7.5CVSS7.2AI score0.1786EPSS
Exploits0References3
Rows per page
Query Builder