CVEs classified under CWE-178, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-54763 — CVSS 10.0 (critical): Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and…
CVE-2026-40453 — CVSS 9.9 (critical): The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as…
CVE-2026-47323 — CVSS 9.8 (critical): Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations…
CVE-2024-5699 — CVSS 9.8 (critical): In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be…
CVE-2023-3545 — CVSS 9.8 (critical): Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows…
CVE-2022-29604 — CVSS 9.8 (critical): An issue was discovered in ONOS 2.5.1. An intent with an uppercase letter in a device ID shows the CORRUPT state, which is misleading to a…
CVE-2005-0269 — CVSS 9.8 (critical): The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote…
CVE-2004-2154 — CVSS 9.8 (critical): CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a…
CVE-2004-2214 — CVSS 9.8 (critical): Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to bypass access restrictions via a URI with mixed case characters.
CVE-2002-2119 — CVSS 9.8 (critical): Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password…
CVE-2002-1820 — CVSS 9.8 (critical): register.php in Ultimate PHP Board (UPB) 1.0 and 1.0b uses an administrative account Admin with a capital "A," but allows a remote attacker…
CVE-2001-0766 — CVSS 9.8 (critical): Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains…
CVE-2026-27588 — CVSS 9.1 (critical): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented…
CVE-2026-27587 — CVSS 9.1 (critical): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended…
CVE-2021-25036 — CVSS 8.8 (high): The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal…
CVE-2021-24347 — CVSS 8.8 (high): The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php…
CVE-2019-6289 — CVSS 8.8 (high): uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a…
CVE-2026-46392 — CVSS 8.7 (high): HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint…
CVE-2025-67718: Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a…
CVE-2021-39155 — CVSS 8.3 (high): Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce…
CVE-2026-53721 — CVSS 8.2 (high): Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a…
CVE-2026-48595: Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin…
CVE-2021-39134 — CVSS 8.2 (high): `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line…
CVE-2026-22665 — CVSS 8.1 (high): prompts.chat prior to commit 1464475, contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive…
CVE-2026-32939 — CVSS 8.1 (high): DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC…
CVE-2024-55634 — CVSS 8.1 (high): A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before…
CVE-2025-59944 — CVSS 8.0 (high): Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE…
CVE-2026-42273: Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host…
CVE-2026-42272: Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded…
CVE-2001-1238 — CVSS 7.8 (high): Task Manager in Windows 2000 does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3)…
CVE-2026-47346: Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass…
CVE-2026-43513 — CVSS 7.5 (high): Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1…
CVE-2026-29054 — CVSS 7.5 (high): Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential…
CVE-2026-27896 — CVSS 7.5 (high): The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's…
CVE-2024-6866 — CVSS 7.5 (high): corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the…
CVE-2024-23331 — CVSS 7.5 (high): Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file…
CVE-2021-45893 — CVSS 7.5 (high): An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4. There is Improper Handling of Case Sensitivity, which makes password guessing…
CVE-2007-3365 — CVSS 7.5 (high): MyServer 0.8.9 and earlier does not properly handle uppercase characters in filename extensions, which allows remote attackers to obtain…
CVE-2004-1083 — CVSS 7.5 (high): Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses…
CVE-2003-0411 — CVSS 7.5 (high): Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase…
CVE-2002-0485 — CVSS 7.5 (high): Norton Anti-Virus (NAV) allows remote attackers to bypass content filtering via attachments whose Content-Type and Content-Disposition…
CVE-2001-0795 — CVSS 7.5 (high): Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1)…
CVE-2000-0499 — CVSS 7.5 (high): The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a…
CVE-2000-0498 — CVSS 7.5 (high): Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension…
CVE-2000-0497 — CVSS 7.5 (high): IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP…
CVE-1999-0239 — CVSS 7.5 (high): Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.
CVE-2025-46701 — CVSS 7.3 (high): Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security…
CVE-2026-33691 — CVSS 6.8 (medium): The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to…