CVE-2025-29847 Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass

A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigg...

CVE-2025-29847

CVE-2025-29847 (Apache Linkis) : A vulnerability in Apache Linkis where, when using the JDBC engine and data source, multiple URL-encoded parameters on the frontend can bypass checks and allow unauthorized access to system files via JDBC parameters. Affected versions: 1.3.0–1.7.0. Impact: potenti...

PT-2026-3452

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.3 Description A security issue exists in the @fastify/express plugin, which provides Express compatibility for Fastify. The problem occurs when middleware is registered with a specific path prefix...

CVE-2024-34712

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/id being normalized into the url /api/v10/channels/id, and deleting a...

EUVD-2025-205611

Nest has a Fastify URL Encoding Middleware Bypass TOCTOU...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the URL encoding middleware, allowing it to be bypassed in certain configurations. An...

CVE-2025-69211 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

CVE-2025-69211

CVE-2025-69211 affects Nest.js applications using the Fastify platform integration before version 11.1.11. The issue is a bypass in the Fastify URL encoding middleware that can skip security checks implemented via NestMiddleware (via MiddlewareConsumer) or app.use(), particularly when middleware ...

PT-2025-53755

Name of the Vulnerable Software and Affected Versions Nest versions prior to 11.1.11 Description Nest is a framework used for building scalable Node.js server-side applications. A flaw exists where the Fastify URL encoding middleware can be bypassed. This impacts applications utilizing...

nest 安全漏洞

nest is a Node.js framework open-sourced by nestjs for building efficient, scalable and enterprise-class server-side applications using TypeScript/JavaScript. A security vulnerability exists in versions of nest prior to 11.1.11, which stems from a bypass in the Fastify URL encoding middleware tha...

cl-cybersec-pysxss

XSS WAF Lab – Payload Generator This project studies how Web...

Qnap QTS and QuTS hero Improper Handling of URL Encoding (CVE-2024-48866)

An improper handling of URL encoding Hex Encoding vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following...

Astro 安全漏洞

Astro is an Astro open source web framework for content-driven websites. A security vulnerability exists in Astro versions 5.15.7 and below, which stems from a double URL encoding bypass that could allow an unauthenticated attacker to access protected routes...

Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765

Authentication Bypass via Double URL Encoding in Astro Bypass for CVE-2025-64765 / GHSA-ggxq-hp9w-j794 --- Summary A double URL encoding bypass allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. Whi...

body-parser is vulnerable to denial of service when url encoding is used

Impact body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage...

BIT-GITLAB-2025-11990 Improper Handling of URL Encoding (Hex Encoding) in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses...

CVE-2025-11990 Improper Handling of URL Encoding (Hex Encoding) in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses...

CVE-2025-11990 Improper Handling of URL Encoding (Hex Encoding) in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses...

CLSA-2025-1762867600 git-lfs: Fix of CVE-2024-53263

CVE-2024-53263: fix issue where Git LFS could expose user credentials via URL- encoded control characters in host's URL...

Cross-site Scripting

dotnetnuke.core is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper encoding of user input in URL and template rendering, allowing attackers to inject malicious scripts that execute in victims’ browsers...