Monthly
Home-directory hijacking in File Browser before 2.63.17 lets an unauthenticated attacker gain full read/write access to another user's files by registering a username that normalizes to a victim's scope. Because cleanUsername() is a many-to-one transform, distinct usernames such as team/one, team one, and team-one collapse to the same home directory, and the signup path never checked whether the derived scope was already owned. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the fix commit and a regression test are public, making the root cause well understood.
Eclipse Jetty mishandles HTTP URI path parameters containing semicolons combined with traversal sequences, delivering an unresolved path (e.g., `/public/../admin/secret.txt`) to downstream web applications instead of the canonicalized form (e.g., `/admin/secret.txt`). Web applications that delegate path-based authorization decisions to Jetty-provided paths are susceptible to confusion attacks where an attacker crafts a URI like `/public;/../admin/secret.txt` to receive a path that bypasses application-layer access controls. Jetty itself is shielded by its alias checker and will not serve restricted files directly; the integrity risk materializes only in applications that consume the unresolved path for routing or authorization logic. No public exploit code or CISA KEV listing is present at time of analysis.
Authorization bypass in the Astro web framework version 6.4.7 lets remote unauthenticated attackers reach protected routes by exploiting an inconsistency between how the framework decodes URL paths for auth decisions versus route matching. Because authorization runs against a path that hit the iterative URL-decoder limit while later rewrite matching applies an extra decodeURI(), a request that appears benign at the auth gate resolves to a guarded route afterward, exposing protected content. No public exploit has been identified at time of analysis, but the fix in 6.4.8 and a published GitHub Security Advisory confirm the flaw.
Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping `.git` suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with `sparse+`). This allowed two distinct sparse registry URLs that differed only by a `.git` suffix to resolve to the same canonical identifier, meaning credentials configured for one registry could be transmitted to a different, attacker-controlled registry on the same domain. No public exploit identified at time of analysis; EPSS is 0.04% (12th percentile), consistent with the vendor-assessed low severity and SSVC exploitation status of none.
A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. [CVSS 6.7 MEDIUM]
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Home-directory hijacking in File Browser before 2.63.17 lets an unauthenticated attacker gain full read/write access to another user's files by registering a username that normalizes to a victim's scope. Because cleanUsername() is a many-to-one transform, distinct usernames such as team/one, team one, and team-one collapse to the same home directory, and the signup path never checked whether the derived scope was already owned. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the fix commit and a regression test are public, making the root cause well understood.
Eclipse Jetty mishandles HTTP URI path parameters containing semicolons combined with traversal sequences, delivering an unresolved path (e.g., `/public/../admin/secret.txt`) to downstream web applications instead of the canonicalized form (e.g., `/admin/secret.txt`). Web applications that delegate path-based authorization decisions to Jetty-provided paths are susceptible to confusion attacks where an attacker crafts a URI like `/public;/../admin/secret.txt` to receive a path that bypasses application-layer access controls. Jetty itself is shielded by its alias checker and will not serve restricted files directly; the integrity risk materializes only in applications that consume the unresolved path for routing or authorization logic. No public exploit code or CISA KEV listing is present at time of analysis.
Authorization bypass in the Astro web framework version 6.4.7 lets remote unauthenticated attackers reach protected routes by exploiting an inconsistency between how the framework decodes URL paths for auth decisions versus route matching. Because authorization runs against a path that hit the iterative URL-decoder limit while later rewrite matching applies an extra decodeURI(), a request that appears benign at the auth gate resolves to a guarded route afterward, exposing protected content. No public exploit has been identified at time of analysis, but the fix in 6.4.8 and a published GitHub Security Advisory confirm the flaw.
Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping `.git` suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with `sparse+`). This allowed two distinct sparse registry URLs that differed only by a `.git` suffix to resolve to the same canonical identifier, meaning credentials configured for one registry could be transmitted to a different, attacker-controlled registry on the same domain. No public exploit identified at time of analysis; EPSS is 0.04% (12th percentile), consistent with the vendor-assessed low severity and SSVC exploitation status of none.
A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. [CVSS 6.7 MEDIUM]
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.