Skip to main content

CWE-172

Encoding Error

15 CVEs Avg CVSS 5.7 MITRE
2
CRITICAL
1
HIGH
9
MEDIUM
3
LOW
2
POC
0
KEV

Monthly

CVE-2026-48784 PHP MEDIUM PATCH GHSA This Month

Symfony's UrlGenerator encodes only alternating dot-segments in chained `../` or `./` sequences due to a `strtr()` advancement bug, producing URLs that RFC 3986-conformant reverse proxies, API gateways, and HTTP clients collapse to unintended paths. Routes exposing parameters with permissive requirements (`.+`, `.*`) that permit slashes are the exploitable surface when attacker-controlled values contain multiple consecutive dot-segments. No active exploitation is confirmed (not in CISA KEV, no EPSS score assigned), but vendor-confirmed patches are available across all maintained Symfony branches, and the vulnerability shares the same route round-trip integrity class as the previously disclosed CVE-2026-45065.

Information Disclosure
NVD GitHub
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-42926 MEDIUM PATCH This Month

NGINX Open Source configured to proxy HTTP/2 traffic with proxy_http_version set to 2 combined with proxy_set_body allows remote unauthenticated attackers to inject frame headers and payload bytes to upstream peers, enabling potential header injection or request manipulation attacks. The vulnerability affects default configurations without requiring authentication or user interaction, with CVSS 5.8 indicating moderate integrity impact across networked systems. No public exploit code or active exploitation has been confirmed at this time.

Code Injection Nginx Nginx Open Source
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2025-27110 HIGH POC PATCH This Week

Libmodsecurity is one component of the ModSecurity v3 project. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Modsecurity Red Hat Suse
NVD GitHub
CVSS 4.0
7.9
EPSS
0.1%
CVE-2024-48909 Go LOW PATCH Monitor

SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Spicedb
NVD GitHub
CVSS 3.1
2.4
EPSS
0.3%
CVE-2021-33604 Maven LOW PATCH Monitor

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local. Rated low severity (CVSS 2.5), this vulnerability is no authentication required.

RCE Flow Server Vaadin
NVD GitHub
CVSS 3.1
2.5
EPSS
0.3%
CVE-2019-12677 MEDIUM This Month

A vulnerability in the Secure Sockets Layer (SSL) VPN feature of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a denial of service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Cisco Adaptive Security Appliance Software
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2019-10153 MEDIUM PATCH This Month

A flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Fence Agents Enterprise Linux Enterprise Linux Server Enterprise Linux Workstation
NVD GitHub
CVSS 3.1
5.0
EPSS
2.2%
CVE-2019-10160 CRITICAL PATCH Act Now

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Enterprise Linux Desktop Enterprise Linux Eus Enterprise Linux Server +10
NVD GitHub
CVSS 3.1
9.8
EPSS
5.4%
CVE-2018-2415 MEDIUM This Month

SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure SAP Netweaver Java Web Container And Http Service Engine J2Ee Engine Server Core
NVD
CVSS 3.0
4.7
EPSS
1.2%
CVE-2018-7289 LOW POC Monitor

An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Microsoft Armadito Antivirus
NVD GitHub Exploit-DB
CVSS 3.0
3.3
EPSS
1.8%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Symfony's UrlGenerator encodes only alternating dot-segments in chained `../` or `./` sequences due to a `strtr()` advancement bug, producing URLs that RFC 3986-conformant reverse proxies, API gateways, and HTTP clients collapse to unintended paths. Routes exposing parameters with permissive requirements (`.+`, `.*`) that permit slashes are the exploitable surface when attacker-controlled values contain multiple consecutive dot-segments. No active exploitation is confirmed (not in CISA KEV, no EPSS score assigned), but vendor-confirmed patches are available across all maintained Symfony branches, and the vulnerability shares the same route round-trip integrity class as the previously disclosed CVE-2026-45065.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

NGINX Open Source configured to proxy HTTP/2 traffic with proxy_http_version set to 2 combined with proxy_set_body allows remote unauthenticated attackers to inject frame headers and payload bytes to upstream peers, enabling potential header injection or request manipulation attacks. The vulnerability affects default configurations without requiring authentication or user interaction, with CVSS 5.8 indicating moderate integrity impact across networked systems. No public exploit code or active exploitation has been confirmed at this time.

Code Injection Nginx Nginx Open Source
NVD VulDB
EPSS 0% CVSS 7.9
HIGH POC PATCH This Week

Libmodsecurity is one component of the ModSecurity v3 project. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Modsecurity Red Hat +1
NVD GitHub
EPSS 0% CVSS 2.4
LOW PATCH Monitor

SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Spicedb
NVD GitHub
EPSS 0% CVSS 2.5
LOW PATCH Monitor

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local. Rated low severity (CVSS 2.5), this vulnerability is no authentication required.

RCE Flow Server Vaadin
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM This Month

A vulnerability in the Secure Sockets Layer (SSL) VPN feature of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a denial of service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Cisco Adaptive Security Appliance Software
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

A flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Fence Agents Enterprise Linux +2
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Enterprise Linux Desktop +12
NVD GitHub
EPSS 1% CVSS 4.7
MEDIUM This Month

SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure SAP +2
NVD
EPSS 2% CVSS 3.3
LOW POC Monitor

An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Microsoft Armadito Antivirus
NVD GitHub Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy