CWE-647

Use of Non-Canonical URL Paths for Authorization Decisions

4 CVEs Avg CVSS 5.3 MITRE
0
CRITICAL
1
HIGH
2
MEDIUM
1
LOW
0
POC
0
KEV

Monthly

CVE-2025-9909 MEDIUM PATCH This Month

A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. [CVSS 6.7 MEDIUM]

Redhat Information Disclosure
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-64500 HIGH PATCH This Month

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Authentication Bypass Httpfoundation Symfony
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-47241 MEDIUM PATCH This Month

In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
4.0
EPSS
0.2%
CVE-2025-43916 LOW Monitor

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
3.4
EPSS
0.2%
CVE-2025-9909
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. [CVSS 6.7 MEDIUM]

Redhat Information Disclosure
NVD VulDB
CVE-2025-64500
EPSS 0% CVSS 7.3
HIGH PATCH This Month

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Authentication Bypass Httpfoundation +1
NVD GitHub
CVE-2025-47241
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub
CVE-2025-43916
EPSS 0% CVSS 3.4
LOW Monitor

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy