Total
73 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2007-3365 | 1 Myserverproject | 1 Myserver | 2026-06-16 | 7.8 HIGH | 7.5 HIGH |
| MyServer 0.8.9 and earlier does not properly handle uppercase characters in filename extensions, which allows remote attackers to obtain sensitive information (script source code) via a modified extension, as demonstrated by post.mscgI. | |||||
| CVE-2005-0269 | 1 Sir | 1 Gnuboard | 2026-06-16 | 7.5 HIGH | 9.8 CRITICAL |
| The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters. | |||||
| CVE-2004-2214 | 1 Mbedthis | 1 Appweb Http Server | 2026-06-16 | 7.5 HIGH | 9.8 CRITICAL |
| Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to bypass access restrictions via a URI with mixed case characters. | |||||
| CVE-2004-2154 | 2 Apple, Canonical | 2 Cups, Ubuntu Linux | 2026-06-16 | 7.5 HIGH | 9.8 CRITICAL |
| CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive. | |||||
| CVE-2004-1083 | 1 Apple | 4 Darwin Streaming Server, Mac Os X, Mac Os X Server and 1 more | 2026-06-16 | 5.0 MEDIUM | 7.5 HIGH |
| Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files beginning with ".ht" using alternate capitalization. | |||||
| CVE-2003-0411 | 2 Microsoft, Oracle | 3 Windows 2000, Windows Xp, Sun One Application Server | 2026-06-16 | 5.0 MEDIUM | 7.5 HIGH |
| Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase ".JSP" extension instead of the lowercase .jsp extension. | |||||
| CVE-2002-2119 | 1 Novell | 1 Edirectory | 2026-06-16 | 7.5 HIGH | 9.8 CRITICAL |
| Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password guessing. | |||||
| CVE-2002-1820 | 1 Ultimate Php Board Project | 1 Ultimate Php Board | 2026-06-16 | 7.5 HIGH | 9.8 CRITICAL |
| register.php in Ultimate PHP Board (UPB) 1.0 and 1.0b uses an administrative account Admin with a capital "A," but allows a remote attacker to impersonate the administrator by registering an account name of admin with a lower case "a." | |||||
| CVE-2002-0485 | 1 Symantec | 1 Norton Antivirus | 2026-06-16 | 5.0 MEDIUM | 7.5 HIGH |
| Norton Anti-Virus (NAV) allows remote attackers to bypass content filtering via attachments whose Content-Type and Content-Disposition headers are mixed upper and lower case, which is ignored by some mail clients. | |||||
| CVE-2001-1238 | 1 Microsoft | 1 Windows 2000 | 2026-06-16 | 4.6 MEDIUM | 7.8 HIGH |
| Task Manager in Windows 2000 does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped with the Task Manager. | |||||
| CVE-2001-0795 | 1 Cmfperception | 1 Liteserve | 2026-06-16 | 5.0 MEDIUM | 7.5 HIGH |
| Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names. | |||||
| CVE-2001-0766 | 2 Apache, Apple | 2 Http Server, Mac Os X | 2026-06-16 | 7.5 HIGH | 9.8 CRITICAL |
| Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters. | |||||
| CVE-2000-0499 | 1 Bea | 1 Weblogic Server | 2026-06-16 | 5.0 MEDIUM | 7.5 HIGH |
| The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. | |||||
| CVE-2000-0498 | 1 Unify | 1 Ewave Servletexec | 2026-06-16 | 5.0 MEDIUM | 7.5 HIGH |
| Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. | |||||
| CVE-2000-0497 | 1 Ibm | 1 Websphere Application Server | 2026-06-16 | 5.0 MEDIUM | 7.5 HIGH |
| IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. | |||||
| CVE-1999-0239 | 1 Netscape | 1 Fasttrack Server | 2026-06-16 | 5.0 MEDIUM | 7.5 HIGH |
| Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET. | |||||
| CVE-2026-53721 | 1 Nuxt | 1 Nuxt | 2026-06-15 | N/A | 8.2 HIGH |
| Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7. | |||||
| CVE-2026-45062 | 2026-06-11 | N/A | 8.1 HIGH | ||
| FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3. | |||||
| CVE-2026-47346 | 2026-06-09 | N/A | N/A | ||
| Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2. | |||||
| CVE-2026-46392 | 2026-06-05 | N/A | 8.7 HIGH | ||
| HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. An HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) is still served as `text/html` but the forced-download header never applies, so the browser renders it inline and executes any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for CVE-2026-22704. Version 26.0.0 contains a fix. | |||||