Monthly
Identity confusion in prompts.chat (prior to commit 1464475) enables authenticated attackers to impersonate users and hijack profile URLs by creating case-variant usernames (e.g., 'Alice' vs 'alice'). Inconsistent case-handling between write and read operations allows bypass of uniqueness validation, letting attackers inject malicious content on canonical victim profiles. EPSS data not available; no public exploit identified at time of analysis, though attack complexity is low (CVSS:4.0 AC:L) requiring only low-privilege access (PR:L). VulnCheck disclosed this vulnerability with vendor patch released via GitHub commit.
OWASP Core Rule Set (CRS) versions prior to 3.3.9 and 4.25.0 allow bypass of file upload restrictions through whitespace-padded filenames, enabling upload of dangerous executable file extensions (.php, .phar, .jsp, .jspx) that should be blocked. Remote attackers can exploit this vulnerability to upload malicious files with high confidence due to the simple nature of the bypass technique (inserting spaces before the file extension), potentially leading to remote code execution depending on web application firewall configuration and application behavior.
Improper case sensitivity handling in the Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 allows privilege escalation through authentication bypass mechanisms. Authenticated or remote attackers can exploit case-sensitivity weaknesses in identity claim validation to assume elevated permissions within Drupal systems relying on this module for federated authentication. The vulnerability affects all versions from 0.0.0 through 1.5.0, and vendor-released patch version 1.5.0 is available.
DataEase versions 2.10.19 and below contain a locale-dependent validation bypass vulnerability that allows attackers to smuggle dangerous JDBC parameters past security filters. The flaw stems from inconsistent locale handling where DataEase's validation uses the JVM default locale while H2 JDBC always uses English locale, causing Turkish locale environments to misinterpret malicious parameters like 'iNIT' (bypassing blacklist as 'İNIT' while H2 executes it as 'INIT'). This has been confirmed as exploitable in real deployment scenarios and enables authenticated attackers with low privileges to achieve high-impact code execution or data access, though there is no evidence yet of active exploitation or public proof-of-concept.
Traefik versions 2.11.9-2.11.37 and 3.1.3-3.6.8 contain a case-sensitivity bypass in Connection header handling that allows unauthenticated remote attackers to remove critical X-Forwarded headers by using lowercase Connection tokens, potentially enabling header spoofing attacks. An attacker can exploit this to manipulate forwarded client information such as IP addresses and hostnames, compromising the integrity of upstream application data. A patch is available for affected versions.
s standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions up to 1.3.1. contains a security vulnerability.
Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casing in the Host header. PoC available.
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. PoC available.
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password due to case-sensitive validation logic that can be bypassed using mixed-case field names in API requests. An attacker with a valid JWT token obtained through XSS, session hijacking, or similar means could exploit this to perform account takeover. Public exploit code exists for this vulnerability, and a patch is available.
Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., */.cursor/mcp.json), which allows attackers to modify the content of these files through prompt injection and achieve remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive fileystems. This issue is fixed in version 1.7.
Identity confusion in prompts.chat (prior to commit 1464475) enables authenticated attackers to impersonate users and hijack profile URLs by creating case-variant usernames (e.g., 'Alice' vs 'alice'). Inconsistent case-handling between write and read operations allows bypass of uniqueness validation, letting attackers inject malicious content on canonical victim profiles. EPSS data not available; no public exploit identified at time of analysis, though attack complexity is low (CVSS:4.0 AC:L) requiring only low-privilege access (PR:L). VulnCheck disclosed this vulnerability with vendor patch released via GitHub commit.
OWASP Core Rule Set (CRS) versions prior to 3.3.9 and 4.25.0 allow bypass of file upload restrictions through whitespace-padded filenames, enabling upload of dangerous executable file extensions (.php, .phar, .jsp, .jspx) that should be blocked. Remote attackers can exploit this vulnerability to upload malicious files with high confidence due to the simple nature of the bypass technique (inserting spaces before the file extension), potentially leading to remote code execution depending on web application firewall configuration and application behavior.
Improper case sensitivity handling in the Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 allows privilege escalation through authentication bypass mechanisms. Authenticated or remote attackers can exploit case-sensitivity weaknesses in identity claim validation to assume elevated permissions within Drupal systems relying on this module for federated authentication. The vulnerability affects all versions from 0.0.0 through 1.5.0, and vendor-released patch version 1.5.0 is available.
DataEase versions 2.10.19 and below contain a locale-dependent validation bypass vulnerability that allows attackers to smuggle dangerous JDBC parameters past security filters. The flaw stems from inconsistent locale handling where DataEase's validation uses the JVM default locale while H2 JDBC always uses English locale, causing Turkish locale environments to misinterpret malicious parameters like 'iNIT' (bypassing blacklist as 'İNIT' while H2 executes it as 'INIT'). This has been confirmed as exploitable in real deployment scenarios and enables authenticated attackers with low privileges to achieve high-impact code execution or data access, though there is no evidence yet of active exploitation or public proof-of-concept.
Traefik versions 2.11.9-2.11.37 and 3.1.3-3.6.8 contain a case-sensitivity bypass in Connection header handling that allows unauthenticated remote attackers to remove critical X-Forwarded headers by using lowercase Connection tokens, potentially enabling header spoofing attacks. An attacker can exploit this to manipulate forwarded client information such as IP addresses and hostnames, compromising the integrity of upstream application data. A patch is available for affected versions.
s standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions up to 1.3.1. contains a security vulnerability.
Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casing in the Host header. PoC available.
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. PoC available.
Filebrowser versions prior to 2.57.1 allow authenticated users to reset passwords without verifying the current password due to case-sensitive validation logic that can be bypassed using mixed-case field names in API requests. An attacker with a valid JWT token obtained through XSS, session hijacking, or similar means could exploit this to perform account takeover. Public exploit code exists for this vulnerability, and a patch is available.
Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., */.cursor/mcp.json), which allows attackers to modify the content of these files through prompt injection and achieve remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive fileystems. This issue is fixed in version 1.7.