This page collects WhisperX intelligence signals tagged #web security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security flaw has been confirmed in a test application, exposing its internal configuration to potential attackers. The vulnerability, classified with a severity of CRITICAL, allows for file path manipulation attacks. A test payload containing the path `../WEB-INF/web.xml` was successfully submitted to the a...
A high-severity Cross-Site Scripting (XSS) vulnerability has been identified within a single JavaScript file, posing a direct risk of client-side script injection. The flaw is classified under CWE-79 and OWASP A03:2021 - Injection, with an 80% confidence rating. The core issue is a direct, unescaped assignment of user ...
A critical file path manipulation vulnerability has been confirmed in a staging environment, allowing unauthorized access to a sensitive server configuration file. The attack succeeded by submitting a simple payload containing '../WEB-INF/web.xml' through a user-controllable parameter, which the server then processed a...
A critical security flaw in the `@astrojs/vercel` integration allows unauthenticated attackers to rewrite internal server request paths, potentially leading to path traversal attacks. The vulnerability, tracked as CVE-2026-33768, stems from the serverless entrypoint reading the `x-astro-path` header and `x_astro_path` ...
A critical security vulnerability, CVE-2026-21883, has been disclosed in the Bokeh data visualization library, exposing deployed server instances to Cross-Site WebSocket Hijacking (CSWSH). The flaw, which prompted an automated dependency update from version 2.4.3 to 3.8.2, allows attackers to hijack WebSocket connectio...
Red Hatμ ν΅μ¬ μν°νλΌμ΄μ¦ μ νκ΅°μ κΈ°λ°μΌλ‘ νλ μλ§μ μμ€ν μ μ¬κ°ν 보μ μνμ΄ μ κΈ°λμλ€. CVE-2026-28368λ‘ μλ³λ μ΄ μ·¨μ½μ μ Undertow μΉ μλ²μ μΌκ΄μ± μλ HTTP ν€λ νμ± λ‘μ§μμ λΉλ‘―λλ©°, μμ² λ°μ(Request Smuggling) 곡격μ κ°λ₯νκ² ν μ μλ€. CVSS 8.7μ μ λμ μν λ±κΈμ μ격 곡격μκ° μ μμ μΈ μμ²μ ν΅ν΄ λ°±μλ μμ€ν μ λμμ λ³μ‘°νκ±°λ λ€λ₯Έ 곡격μ μν λ°νμ λ§λ ¨ν μ μμμ μμ¬νλ€. μ΄ μ·¨μ½μ μ μν₯μ κ΄λ²μνλ€. Red Hat Enterprise Linux 8, 9, 10μ λΉλ‘―ν΄,...
Red Hatμ ν΅μ¬ μΉ μλ² μμ§μΈ Undertowμμ HTTP μμ² λ°μ(Request Smuggling) μ·¨μ½μ μ΄ κ³΅κ°μ μΌλ‘ μλ³λλ€. CVE-2026-28367λ‘ μ§μ λ μ΄ μ·¨μ½μ μ 곡격μκ° λΉμ μμ μΈ `\r\r\r` ν€λ λΈλ‘ μ’ λ£ λ¬Έμλ₯Ό μ¬μ©ν΄ νλ‘ νΈμλ μλ²μ λ°±μλ Undertow μλ² κ°μ μμ² ν΄μμ λΆμΌμΉμμΌ, νλμ μμ²μ λ κ°λ‘ λΆλ¦¬νκ±°λ μ¨κ²¨μ§ μμ²μ μ£Όμ ν μ μλ μνμ μ΄λνλ€. CVSS 8.7μ λμ μ¬κ°λ μ μλ μ격 μ½λ μ€νμ΄λ λ―Όκ°ν λ°μ΄ν° λ ΈμΆκ³Ό κ°μ μ¬κ°ν 곡격 κ²½λ‘λ₯Ό μ΄μ΄λμ κ°λ₯μ±μ μμ¬νλ€. μ΄ μ·¨μ½μ μ Undert...
A critical security flaw, designated CVE-2026-33870, has been disclosed in the widely-used `io.netty:netty-codec-http` library. The vulnerability, classified as an 'Inconsistent Interpretation of HTTP Requests' or HTTP request/response smuggling (CWE-444), allows attackers to bypass security controls and potentially po...
A critical security gap has been identified in the Apache web server configuration for Catroweb, a children's platform. The configuration file (`docker/apache/catroweb.conf`) lacks any standard security headers, leaving the site vulnerable to a range of common web attacks. This absence is particularly significant given...
A medium-severity vulnerability in the widely-used Express.js web framework exposes applications to potential open redirect attacks. Tracked as CVE-2024-43796, the flaw exists in all versions of Express prior to 4.20.0. The core risk is that passing any untrusted user inputβeven after it has been sanitizedβto the `resp...
A critical cross-site scripting (XSS) vulnerability has been identified in the platform's dashboard, exposing users to potential session hijacking and data theft. The flaw resides in multiple inline `onclick` handlers that fail to properly escape single quotes, allowing attackers to inject and execute arbitrary JavaScr...
A security scan has flagged a medium-severity Cross-Site Request Forgery (CSRF) vulnerability within a Ruby on Rails application, pinpointing a critical misconfiguration in session management. The flaw resides in the `app/helpers/sessions_helper.rb` file, where two permanent cookies are being set without essential secu...
A security scan has flagged a Cross-Site Request Forgery (CSRF) vulnerability within a core authentication file of a Ruby on Rails application. The issue, classified with medium severity, centers on the `app/helpers/sessions_helper.rb` file, where two instances of cookie creation lack essential security flags. Specific...
A significant security gap has been identified in the `mcp probe` tool. The current verification process for MCP (Model Context Protocol) endpoints performs no analysis of Cross-Origin Resource Sharing (CORS) policies, leaving a critical vulnerability unaddressed. This omission is explicitly noted in the project's TODO...
A critical security vulnerability in the Nuxt framework, tracked as CVE-2024-34343, exposes applications to potential cross-site scripting (XSS) attacks. The flaw resides in the `navigateTo` function, which is designed to block the `javascript:` protocol but fails to correctly utilize the APIs provided by the underlyin...
A high-severity Cross-Site Scripting (XSS) vulnerability has been identified within a core JavaScript file of a GitHub-hosted project, posing a direct risk of client-side script injection. The flaw, classified under CWE-79 and OWASP A03:2021 - Injection, carries an 80% confidence rating and is located in a single, crit...
A high-severity Cross-Site Scripting (XSS) vulnerability has been identified within a critical development environment configuration file. The flaw, classified under CWE-79 and OWASP A03:2021 - Injection, resides in a single instance where user input is rendered directly into HTML without proper sanitization. This crea...
A newly disclosed vulnerability in a foundational Node.js library opens a subtle but exploitable path for attackers to manipulate cookie data on web servers. CVE-2024-47764, rated with medium severity, targets the widely used `cookie` library, a core component for parsing and serializing HTTP cookies. The flaw allows a...
A critical security flaw in Magix CMS 4 leaves the software's installation workflow fully accessible after deployment, enabling any unauthenticated attacker to completely hijack the website. The vulnerability stems from the installer entry point failing to properly block access once the CMS is configured, allowing remo...
A critical vulnerability in a widely-used Java networking library opens a direct path for attackers to bypass security controls and poison web caches. Tracked as CVE-2026-33870, the flaw resides in the `io.netty:netty-codec-http` library, specifically version 4.2.9.Final. The core issue is an 'Inconsistent Interpretati...