VYPR

CWE-178

Improper Handling of Case Sensitivity

BaseIncomplete

Description

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (67)

page 2 of 4
  • CVE-2000-0497HigJun 8, 2000
    risk 0.49cvss 7.5epss 0.03

    IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.

  • CVE-2026-53721HigJun 12, 2026
    risk 0.46cvss 8.2epss 0.00

    Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in…

  • CVE-2026-45062HigJun 10, 2026
    risk 0.46cvss 8.1epss 0.01

    FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an…

  • CVE-2026-48595HigJun 2, 2026
    risk 0.46cvss epss 0.00

    Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string…

  • CVE-2026-22665HigApr 3, 2026
    risk 0.46cvss 8.1epss 0.00

    prompts.chat prior to commit 1464475, contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks.…

  • CVE-2026-42273HigMay 8, 2026
    risk 0.44cvss epss 0.00

    Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule…

  • CVE-2026-42272HigMay 8, 2026
    risk 0.44cvss epss 0.00

    Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent…

  • CVE-2026-47346HigJun 9, 2026
    risk 0.42cvss epss 0.00

    Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements,…

  • CVE-2026-43513HigMay 12, 2026
    risk 0.42cvss 7.5epss 0.00

    Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older…

  • CVE-2026-27896HigFeb 26, 2026
    risk 0.42cvss 7.5epss 0.00

    The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match…

  • CVE-2023-46218MedDec 7, 2023
    risk 0.42cvss 6.5epss 0.02

    This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do…

  • CVE-2026-54528higJun 19, 2026
    risk 0.38cvss epss

    ## Summary `jupyterlab-git` 0.53.0 (latest, 2026-04-30) uses `fnmatch.fnmatchcase()` in `GitHandler.prepare()` (`jupyterlab_git/handlers.py:91`) to enforce the admin-configured `excluded_paths` security control. Because `fnmatchcase` is unconditionally case-sensitive, an…

  • CVE-2026-45135higMay 18, 2026
    risk 0.38cvss epss 0.00

    ### Summary The FastCGI transport's `splitPos()` in [`modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go`](https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go) misuses `golang.org/x/text/search` with `search.IgnoreCase` when the…

  • CVE-2026-33691MedApr 2, 2026
    risk 0.37cvss 6.8epss 0.01

    The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions (.php, .phar, .jsp, .jspx)…

  • CVE-2017-8493MedJun 15, 2017
    risk 0.36cvss 5.5epss 0.01

    Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to set variables that are either read-only or require authentication when Windows fails to enforce case sensitivity for certain…

  • CVE-2026-3833MedApr 30, 2026
    risk 0.35cvss 6.5epss 0.01

    A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can…

  • CVE-2025-50864MedAug 20, 2025
    risk 0.35cvss 6.5epss 0.00

    An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather…

  • CVE-2018-8337MedSep 13, 2018
    risk 0.35cvss 5.3epss 0.01

    A security feature bypass vulnerability exists when Windows Subsystem for Linux improperly handles case sensitivity, aka "Windows Subsystem for Linux Security Feature Bypass Vulnerability." This affects Windows 10, Windows 10 Servers.

  • CVE-2025-4035MedApr 29, 2025
    risk 0.28cvss 4.3epss 0.00

    A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a…

  • CVE-2026-3532MedMar 26, 2026
    risk 0.27cvss 4.2epss 0.00

    Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.