Search Vulnerabilities

Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters

Python-Multipart: Semicolon treated as querystring field separator enables parameter smuggling

node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing

Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

TYPO3 HTML Sanitizer allows Cross-Site Scripting

LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body

SSRF allowlist bypass via percent-encoded host in hackney

authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier Truncation

Flight: HTTP method override enabled by default enables CSRF escalation and middleware bypass in flightphp/core

Next.js: Cache poisoning in React Server Component responses

linux-entra-sso: PRT SSO cookie can leak to attacker-controlled hosts when broad host permissions are granted

Heimdall: Authorization bypass via path normalization mismatch

Heimdall: Case-sensitive host matching may lead to policy bypass

Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation

Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion

github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters

fast-uri vulnerable to host confusion via percent-encoded authority delimiters

Official Clerk JavaScript SDKs: Middleware-based route protection bypass

@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option