Lucene search
K

5 matches found

CVE
CVE
added 6 days ago8 views

CVE-2026-56233

Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy. Authenticated users with build permissions can bypass upload restrictions by appending traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling access to internal admi...

8.7CVSS5.8AI score0.00451EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 6 days ago7 views

SUSE CVE-2026-13676

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode IDN hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize and equal still return...

7.2CVSS5.8AI score0.00274EPSS
Exploits0References3
OSV
OSV
added 2026/05/05 8:29 p.m.7 views

GHSA-J4RJ-2JR5-M439 ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs

Summary ssrfcheck v1.3.0 latest fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address e.g. http://::ffff:127.0.0.1/. The WHATWG URL parser built into Node.js silently normalizes the IPv4 notation inside the brackets to...

8.2CVSS5.8AI score0.00226EPSS
Exploits0References3
NVD
NVD
added 2026/04/17 9:16 p.m.7 views

CVE-2026-40299

next-intl provides internationalization for Next.js. Applications using the next-intl middleware prior to version 4.9.1with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or...

6.9CVSS0.00339EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2022/02/22 12:0 a.m.45 views

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.

Leading control characters in a URL are not stripped when passed into url-parse. This can cause input URLs to be mistakenly be interpreted as a relative URL without a hostname and protocol, while the WHATWG URL parser will trim control characters and treat it as an absolute URL. If url-parse is...

9.8CVSS8.1AI score0.0222EPSS
Exploits1References7Affected Software1
Rows per page
Query Builder