Lucene search
K

13 matches found

CVE
CVE
added 2026/06/30 10:8 p.m.12 views

CVE-2026-56233

Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy. Authenticated users with build permissions can bypass upload restrictions by appending traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling access to internal admi...

8.7CVSS5.8AI score0.00451EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/06/30 1:49 a.m.7 views

SUSE CVE-2026-13676

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode IDN hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize and equal still return...

7.2CVSS5.8AI score0.00274EPSS
Exploits0References3
OSV
OSV
added 2026/05/05 8:29 p.m.8 views

GHSA-J4RJ-2JR5-M439 ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs

Summary ssrfcheck v1.3.0 latest fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address e.g. http://::ffff:127.0.0.1/. The WHATWG URL parser built into Node.js silently normalizes the IPv4 notation inside the brackets to...

8.2CVSS5.8AI score0.00226EPSS
Exploits0References3
NVD
NVD
added 2026/04/17 9:16 p.m.8 views

CVE-2026-40299

next-intl provides internationalization for Next.js. Applications using the next-intl middleware prior to version 4.9.1with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or...

6.9CVSS0.00339EPSS
Exploits0References4
Fedora
Fedora
added 2025/04/21 4:47 p.m.8 views

[SECURITY] Fedora 41 Update: rust-url-2.5.4-1.fc41

URL library for Rust, based on the WHATWG URL Standard...

7.4AI score
Exploits0
Fedora
Fedora
added 2025/04/20 4:23 a.m.10 views

[SECURITY] Fedora 42 Update: rust-url-2.5.4-1.fc42

URL library for Rust, based on the WHATWG URL Standard...

7.4AI score
Exploits0
NVD
NVD
added 2022/10/27 4:15 p.m.21 views

CVE-2022-3095

The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '' characters in URIs, which can lead to auth bypass in webapp...

9.8CVSS0.00867EPSS
Exploits0References1
Cvelist
Cvelist
added 2022/10/27 12:0 a.m.32 views

CVE-2022-3095 Incorrect parsing of the backslash characters in Dart library

The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '' characters in URIs, which can lead to auth bypass in webapp...

9.8CVSS9.7AI score0.00867EPSS
Exploits0References1
OSV
OSV
added 2022/10/27 12:0 a.m.37 views

CVE-2022-3095 Incorrect parsing of the backslash characters in Dart library

The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '' characters in URIs, which can lead to auth bypass in webapp...

9.8CVSS7.2AI score0.00867EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2022/02/22 12:0 a.m.45 views

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.

Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is...

9.8CVSS8.1AI score0.0222EPSS
Exploits1References7Affected Software1
OSV
OSV
added 2021/03/01 8:3 p.m.4 views

GHSA-P6J9-7XHC-RHWP URIjs Hostname spoofing via backslashes in URL

Impact If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash \ character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and...

7.5CVSS6.8AI score0.02483EPSS
Exploits1References6
NVD
NVD
added 2020/12/31 12:15 a.m.23 views

CVE-2020-26291

URI.js is a javascript URL mutation library npm package urijs. In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash \ character followed by an at @ character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and...

6.5CVSS6.2AI score0.0169EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2019/01/02 12:0 a.m.33 views

SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2018:1183-1)

This update for nodejs6 fixes the following issues : - Fix some node-gyp permissions - New upstream LTS release 6.14.1 : - Security fixes : + CVE-2018-7160: Fix for inspector DNS rebinding vulnerability bsc1087463 + CVE-2018-7158: Fix for 'path' module regular expression denial of service...

8.8CVSS7.2AI score0.09916EPSS
Exploits0References10
Rows per page
Query Builder