Skip to main content

CWE-178

Improper Handling of Case Sensitivity

53 CVEs Avg CVSS 6.5 MITRE
8
CRITICAL
20
HIGH
16
MEDIUM
9
LOW
14
POC
1
KEV

Monthly

CVE-2026-54763 HIGH PATCH This Week

Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker reaching a protected route smuggle an underscore-variant HTTP header past the BasicAuth, DigestAuth, and ForwardAuth middlewares' sanitization. Traefik strips canonical dashed spoofed headers before setting its own trusted value but ignores underscore forms (e.g. X_Forwarded_User vs X-Forwarded-User) that many backends normalize identically, so the forged header reaches the backend alongside — or, on the ForwardAuth authResponseHeaders path, instead of — Traefik's intended value. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a vendor fix and upstream commit are published.

Code Injection Canonical Traefik
NVD GitHub
CVSS 4.0
7.8
EPSS
0.3%
CVE-2026-14617 LOW Monitor

Case-sensitivity bypass in NousResearch hermes-agent through version 2026.4.30 allows authenticated remote attackers to leak limited reasoning content that should have been scrubbed by the Streaming Reasoning Tag Filter. The vulnerability resides in `GatewayStreamConsumer._filter_and_accumulate` within `gateway/stream_consumer.py`, where tag matching fails to account for case variations, permitting reasoning tokens to escape filtration. A public proof-of-concept exploit has been disclosed; however, the vendor has formally declined to issue a patch, classifying the maintenance cost as disproportionate to the assessed risk.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-58057 LOW POC PATCH Monitor

Arbitrary code execution in Flowise before 3.1.3 on Windows allows an authenticated user with Custom MCP node configuration access to bypass the NODE_OPTIONS environment variable denylist by supplying the lowercase variant 'node_options', exploiting a case-sensitive string comparison against a case-insensitive OS. The injected NODE_OPTIONS --require directive causes the Flowise server process to load an attacker-controlled module when spawning a Custom MCP stdio child process. A publicly available proof-of-concept exists per VulnCheck; the vulnerability is not listed in CISA KEV, and exploitation is constrained by Windows platform dependency and the requirement for stdio mode to be explicitly enabled.

Microsoft RCE Flowise
NVD GitHub VulDB Exploit-DB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-57234 Ruby LOW PATCH Monitor

NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. Rated low severity by maintainers (CVSS 2.6); vendor-released patch is available in version 1.19.4, and no public exploit has been identified at time of analysis.

XXE SSRF Nokogiri
NVD GitHub VulDB
CVSS 3.1
2.6
EPSS
0.2%
CVE-2026-48794 Go LOW PATCH GHSA Monitor

Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive `strings.HasSuffix` was used for wildcard domain matching: a crafted URL such as `https://a.B.example.com` causes the suffix check against `*.b.example.com` to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., `*.example.com → bypass`). No confirmed active exploitation has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 1.3 with E:P reflects that proof-of-concept exploitation is plausible in theory but real-world exposure is extremely limited by the configuration prerequisites.

Authentication Bypass Authelia
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.3%
CVE-2026-54528 PyPI HIGH PATCH GHSA This Week

Authorization bypass in jupyterlab-git 0.53.0 and earlier allows authenticated JupyterLab users to read admin-excluded git directories on case-insensitive filesystems (macOS APFS, Windows NTFS) by altering the case of URL path segments. The `GitHandler.prepare()` check uses `fnmatch.fnmatchcase()`, which is unconditionally case-sensitive, while the underlying filesystem resolves case-varied paths to the same location. Publicly available exploit code exists (PoC published with the GHSA advisory), but no public exploit identified in active exploitation feeds.

Python Microsoft Apple Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-49336 npm MEDIUM POC PATCH GHSA This Month

Credential leakage in @microsoft/kiota-http-fetchlibrary versions 1.0.0-preview.97 through 1.0.0-preview.101 causes Bearer tokens and session cookies to be forwarded to attacker-controlled cross-origin redirect destinations because the default RedirectHandler's header-scrubbing logic silently fails: FetchRequestAdapter lowercases all header keys before the middleware sees them, but scrubSensitiveHeaders performs PascalCase deletes (delete headers.Authorization), targeting keys that no longer exist. This flaw is present in the default middleware chain with no opt-in configuration required, affecting every kiota-generated TypeScript SDK - including Microsoft Graph clients - that uses BaseBearerTokenAuthenticationProvider or any auth provider that sets the Authorization header. Proof-of-concept code exists (CVSS 4.0 E:P), and a vendor patch is available in version 1.0.0-preview.102; no active exploitation has been confirmed in the CISA KEV at time of analysis.

Microsoft Information Disclosure Kiota Typescript
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.7%
CVE-2026-55170 Go LOW PATCH GHSA Monitor

OpenFGA's authorization Check API returns incorrect results when MySQL is configured as the datastore and authorization policies depend on case-sensitive user string differentiation. MySQL's default case-insensitive collations cause two distinct user identifiers - identical except for letter casing - to match the same stored authorization tuple, producing an 'allowed' response for a user identity that should be denied. This constitutes an improper policy enforcement flaw (GHSA-cf98-j28v-49v6) that can silently bypass fine-grained access controls in any deployment meeting the two required preconditions. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-53721 npm HIGH PATCH GHSA This Week

Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined protections (authentication, redirects, headers, prerender/SSR controls) by simply varying URL case, because vue-router matches paths case-insensitively while the routeRules matcher matched case-sensitively. The fix in 3.21.7 and 4.4.7 lowercases the path before matching. EPSS is 0.02% and no public exploit is identified at time of analysis, but the underlying class is trivially abused once an asymmetric rule is known.

Authentication Bypass Nuxt
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-47346 PHP HIGH PATCH GHSA This Week

Privilege escalation in TYPO3 CMS Form Framework allows authenticated backend users with file write permissions to bypass upload restrictions using mixed-case file extensions (e.g., .FORM.YAML), then execute arbitrary SQL via crafted form definition files to create administrative backend accounts. The flaw affects TYPO3 versions before 10.4.57, 11.5.50, 12.4.45, 13.4.30, and 14.3.2 across all supported branches. No public exploit identified at time of analysis, but the upstream fix is published with detailed commit-level test cases that effectively serve as a roadmap for exploit development.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Identity/authorization header spoofing in Traefik reverse proxy (before v2.11.51, v3.6.22, and v3.7.6) lets an attacker reaching a protected route smuggle an underscore-variant HTTP header past the BasicAuth, DigestAuth, and ForwardAuth middlewares' sanitization. Traefik strips canonical dashed spoofed headers before setting its own trusted value but ignores underscore forms (e.g. X_Forwarded_User vs X-Forwarded-User) that many backends normalize identically, so the forged header reaches the backend alongside — or, on the ForwardAuth authResponseHeaders path, instead of — Traefik's intended value. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a vendor fix and upstream commit are published.

Code Injection Canonical Traefik
NVD GitHub
EPSS 0% CVSS 1.3
LOW Monitor

Case-sensitivity bypass in NousResearch hermes-agent through version 2026.4.30 allows authenticated remote attackers to leak limited reasoning content that should have been scrubbed by the Streaming Reasoning Tag Filter. The vulnerability resides in `GatewayStreamConsumer._filter_and_accumulate` within `gateway/stream_consumer.py`, where tag matching fails to account for case variations, permitting reasoning tokens to escape filtration. A public proof-of-concept exploit has been disclosed; however, the vendor has formally declined to issue a patch, classifying the maintenance cost as disproportionate to the assessed risk.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Arbitrary code execution in Flowise before 3.1.3 on Windows allows an authenticated user with Custom MCP node configuration access to bypass the NODE_OPTIONS environment variable denylist by supplying the lowercase variant 'node_options', exploiting a case-sensitive string comparison against a case-insensitive OS. The injected NODE_OPTIONS --require directive causes the Flowise server process to load an attacker-controlled module when spawning a Custom MCP stdio child process. A publicly available proof-of-concept exists per VulnCheck; the vulnerability is not listed in CISA KEV, and exploitation is constrained by Windows platform dependency and the requirement for stdio mode to be explicitly enabled.

Microsoft RCE Flowise
NVD GitHub VulDB Exploit-DB
EPSS 0% CVSS 2.6
LOW PATCH Monitor

NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. Rated low severity by maintainers (CVSS 2.6); vendor-released patch is available in version 1.19.4, and no public exploit has been identified at time of analysis.

XXE SSRF Nokogiri
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW PATCH Monitor

Authorization bypass in Authelia 4.36.0-4.39.19 allows an attacker to circumvent access control rules under an extremely narrow set of eight simultaneous conditions involving mixed-case domain requests, wildcard rule ordering, and a non-canonicalizing proxy. The flaw occurs because Go's case-sensitive `strings.HasSuffix` was used for wildcard domain matching: a crafted URL such as `https://a.B.example.com` causes the suffix check against `*.b.example.com` to fail silently, causing the authorization engine to fall through to a more permissive rule (e.g., `*.example.com → bypass`). No confirmed active exploitation has been identified and no CISA KEV listing exists; the CVSS 4.0 score of 1.3 with E:P reflects that proof-of-concept exploitation is plausible in theory but real-world exposure is extremely limited by the configuration prerequisites.

Authentication Bypass Authelia
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in jupyterlab-git 0.53.0 and earlier allows authenticated JupyterLab users to read admin-excluded git directories on case-insensitive filesystems (macOS APFS, Windows NTFS) by altering the case of URL path segments. The `GitHandler.prepare()` check uses `fnmatch.fnmatchcase()`, which is unconditionally case-sensitive, while the underlying filesystem resolves case-varied paths to the same location. Publicly available exploit code exists (PoC published with the GHSA advisory), but no public exploit identified in active exploitation feeds.

Python Microsoft Apple +1
NVD GitHub VulDB
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

Credential leakage in @microsoft/kiota-http-fetchlibrary versions 1.0.0-preview.97 through 1.0.0-preview.101 causes Bearer tokens and session cookies to be forwarded to attacker-controlled cross-origin redirect destinations because the default RedirectHandler's header-scrubbing logic silently fails: FetchRequestAdapter lowercases all header keys before the middleware sees them, but scrubSensitiveHeaders performs PascalCase deletes (delete headers.Authorization), targeting keys that no longer exist. This flaw is present in the default middleware chain with no opt-in configuration required, affecting every kiota-generated TypeScript SDK - including Microsoft Graph clients - that uses BaseBearerTokenAuthenticationProvider or any auth provider that sets the Authorization header. Proof-of-concept code exists (CVSS 4.0 E:P), and a vendor patch is available in version 1.0.0-preview.102; no active exploitation has been confirmed in the CISA KEV at time of analysis.

Microsoft Information Disclosure Kiota Typescript
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

OpenFGA's authorization Check API returns incorrect results when MySQL is configured as the datastore and authorization policies depend on case-sensitive user string differentiation. MySQL's default case-insensitive collations cause two distinct user identifiers - identical except for letter casing - to match the same stored authorization tuple, producing an 'allowed' response for a user identity that should be denied. This constitutes an improper policy enforcement flaw (GHSA-cf98-j28v-49v6) that can silently bypass fine-grained access controls in any deployment meeting the two required preconditions. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined protections (authentication, redirects, headers, prerender/SSR controls) by simply varying URL case, because vue-router matches paths case-insensitively while the routeRules matcher matched case-sensitively. The fix in 3.21.7 and 4.4.7 lowercases the path before matching. EPSS is 0.02% and no public exploit is identified at time of analysis, but the underlying class is trivially abused once an asymmetric rule is known.

Authentication Bypass Nuxt
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Privilege escalation in TYPO3 CMS Form Framework allows authenticated backend users with file write permissions to bypass upload restrictions using mixed-case file extensions (e.g., .FORM.YAML), then execute arbitrary SQL via crafted form definition files to create administrative backend accounts. The flaw affects TYPO3 versions before 10.4.57, 11.5.50, 12.4.45, 13.4.30, and 14.3.2 across all supported branches. No public exploit identified at time of analysis, but the upstream fix is published with detailed commit-level test cases that effectively serve as a roadmap for exploit development.

Authentication Bypass
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy