CWE-436
Interpretation Conflict
Produkt A przetwarza dane wejściowe lub kroki inaczej niż Produkt B, co powoduje, że A wykonuje nieprawidłowe działania na podstawie swojej percepcji stanu B. Ta rozbieżność w interpretacji może prowadzić do niespójnego zachowania systemu.
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable admin or user API. which could let a remote malisious user execute arbitrary code.
The ESET AV parsing engine allows virus-detection bypass via a crafted BZ2 Checksum field in an archive. This affects versions before 1294 of Smart Security Premium, Internet Security, NOD32 Antivirus, Cyber Security Pro (macOS), Cyber Security (macOS), Mobile Security for Android, Smart TV Security, and NOD32 Antivirus 4 for Linux Desktop.
The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives. Note: It has been argued that "The vulnerability reported in PDF Embedder Plugin is not valid as the plugin itself doesn't control or manage the file upload process. It only serves the uploaded PDF files and the responsibility of uploading PDF file remains with the Site owner of Wordpress installation, the upload of PDF file is managed by Wordpress core and not by PDF Embedder Plugin. Control & block of polyglot file is required to be taken care at the time of upload, not on showing the file. Moreover, the reference mentions retrieving the files from the browser cache and manually renaming it to jar for executing the file. That refers to a two step non-connected steps which has nothing to do with PDF Embedder.
Biblioteka ruby-saml w wersjach przed 1.12.4 i 1.18.0 zawiera krytyczną podatność umożliwiającą ominięcie uwierzytelnienia SAML SSO. Atakujący może podszyć się pod dowolnego użytkownika bez znajomości jego poświadczeń.
W bibliotece ruby-saml wykryto krytyczną podatność umożliwiającą obejście uwierzytelnienia (authentication bypass) w mechanizmie SAML Single Sign-On. Atakujący bez żadnych uprawnień może przejąć tożsamość dowolnego użytkownika, w tym administratora.
@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.
Funkcja createRouteMatcher w bibliotekach @clerk/nextjs, @clerk/nuxt i @clerk/astro może zostać obejściem przy użyciu specjalnie spreparowanych żądań HTTP, co pozwala atakującemu ominąć bramkowanie middleware i dotrzeć do chronionych zasobów bez uwierzytelnienia. Podatność ma ocenę CVSS 9.1 i jest sklasyfikowana jako krytyczna.
Wersje @fastify/middie 9.3.1 i wcześniejsze nie przekazują middleware zarejestrowanego w zakresie nadrzędnym do instancji silnika pluginów potomnych. Skutkuje to możliwością dostępu do chronionych tras przez nieuwierzytelnionych użytkowników, co stanowi krytyczne zagrożenie dla aplikacji opartych na Fastify.
Biblioteka @fastify/express w wersjach do 4.0.4 włącznie zawiera błąd w obsłudze ścieżek, który powoduje całkowite ominięcie mechanizmów bezpieczeństwa Express middleware. Podatność jest szczególnie groźna, ponieważ nie wymaga żadnej specjalnej konfiguracji ani spreparowanego żądania.
Biblioteka @fastify/express w wersji 4.0.4 i wcześniejszych nie normalizuje URL-i przed przekazaniem ich do middleware Express, co umożliwia całkowite ominięcie mechanizmów uwierzytelnienia opartych na ścieżkach. Atakujący bez żadnych uprawnień może uzyskać dostęp do chronionych zasobów poprzez proste manipulacje URL.
GNU Wget w wersjach do 1.24.5 włącznie nieprawidłowo obsługuje znak średnika w podkomponencie userinfo adresu URI. Może to prowadzić do niebezpiecznego zachowania, w którym dane przeznaczone dla sekcji userinfo są błędnie traktowane jako część sekcji host.
An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the sequence and ack number are identical in the two packets). The client will ignore the fake FIN packet because the ACK flag is not set. Both linux and windows clients are ignoring the injected packet.
Softing Secure Integration Server Interpretation Conflict Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the web server. The issue results from an inconsistency in URI parsing between NGINX and application code. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20551.
Microsoft SharePoint Server Remote Code Execution Vulnerability
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.
In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.
authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3.
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.