CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

50 matches found

WebMvc.fn/WebFlux.fn - Path Traversal

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...

7.5CVSS7AI score0.9389EPSS

Exploits1References4

Fedora•added 2025/11/13 1:23 a.m.•4 views

[SECURITY] Fedora 41 Update: rubygem-rack-2.2.21-1.fc41

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a single...

7.5CVSS7.1AI score0.03121EPSS

Exploits3

EUVD•added 2025/10/03 8:7 p.m.•3 views

EUVD-2023-1658

Malicious code in bioql PyPI...

7.5CVSS7.5AI score0.00218EPSS

Exploits0References4

Packet Storm News•added 2025/07/29 12:0 a.m.•1 views

Secure Coding for Web Applications: Frameworks, Challenges, and the Role of LLMs

Secure coding is a critical yet often overlooked practice in software development. Despite extensive awareness efforts, real-world adoption remains inconsistent due to organizational, educational, and technical barriers. This paper provides a comprehensive review of secure coding practices across...

6.9AI score

Exploits0

Tenable Nessus•added 2025/03/05 12:0 a.m.•17 views

Linux Distros Unpatched Vulnerability : CVE-2024-38816

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can...

7.5CVSS6.9AI score0.9389EPSS

Exploits1References3

NVD•added 2024/12/19 6:15 p.m.•14 views

CVE-2024-38819

7.5CVSS0.93188EPSS

Exploits5References2

RedHat Linux•added 2024/12/02 4:6 p.m.•2 views

org.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks

A flaw was found in the Spring Framework. Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. This flaw allows an attacker to craft malicious HTTP requests and obtain any file on the file system that is also...

7.5CVSS7.1AI score0.93188EPSS

Exploits5References4

RedhatCVE•added 2024/11/20 2:21 p.m.•18 views

CVE-2024-38819

7.5CVSS6.4AI score0.93188EPSS

Exploits5References3

NVD•added 2024/03/24 8:15 p.m.•15 views

CVE-2024-29034

CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value tha...

6.8CVSS6.2AI score0.00075EPSS

Exploits0References2

UbuntuCve•added 2024/03/24 8:15 p.m.•14 views

CVE-2024-29034

6.8CVSS6.6AI score0.00075EPSS

Exploits0References3

Cvelist•added 2024/03/24 7:27 p.m.•15 views

CVE-2024-29034 CarrierWave's Content-Type allowlist bypass vulnerability which possibly leads to XSS remained

6.8CVSS6.7AI score0.00075EPSS

Exploits0References2

OSV•added 2024/03/24 7:27 p.m.•30 views

CVE-2024-29034 CarrierWave's Content-Type allowlist bypass vulnerability which possibly leads to XSS remained

6.8CVSS6.3AI score0.00075EPSS

Exploits0References4

CVE•added 2024/03/24 7:27 p.m.•67 views

CVE-2024-29034

CVE-2024-29034 affects CarrierWave (Rails/Sinatra file uploads). The issue arises from a Content-Type allowlist bypass when uploading to object storage (e.g., S3): multiple comma-separated values can bypass the allowlist, enabling possible XSS. The vulnerability references CVE-2023-49090 and is a...

6.8CVSS6.2AI score0.00075EPSS

Exploits0References2Affected Software1

NVD•added 2023/11/29 3:15 p.m.•14 views

CVE-2023-49090

CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in allowlistedcontenttype? determines Content-Type permissions by performing a partial match. If the...

6.8CVSS0.00141EPSS

Exploits0References3

UbuntuCve•added 2023/11/29 3:15 p.m.•16 views

CVE-2023-49090

6.8CVSS6.5AI score0.00141EPSS

Exploits0References5

Cvelist•added 2023/11/29 2:38 p.m.•16 views

CVE-2023-49090 CarrierWave has a content-type allowlist bypass vulnerability, possibly leading to XSS

6.8CVSS6.6AI score0.00141EPSS

Exploits0References3

Debian CVE•added 2023/11/29 2:38 p.m.•19 views

CVE-2023-49090

6.8CVSS6.2AI score0.00141EPSS

Exploits0

CVE•added 2023/11/29 2:38 p.m.•66 views

CVE-2023-49090

CarrierWave (Ruby/Rails file-upload library) contains a Content-Type allowlist bypass vulnerability (CVE-2023-49090). The issue arises because allowlisted_content_type? validates Content-Type via partial matching, enabling an attacker to craft content_type values that bypasses the allowlist, pote...

6.8CVSS6.1AI score0.00141EPSS

Exploits0References3Affected Software1

OSV•added 2023/11/29 2:38 p.m.•21 views

CVE-2023-49090 CarrierWave has a content-type allowlist bypass vulnerability, possibly leading to XSS

6.8CVSS6.1AI score0.00141EPSS

Exploits0References5