CWE-178— Improper Handling of Case Sensitivity
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.— MITRE CWE catalog
79 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-178page 1 of 2
- CVE-1999-0239HIGHCVSS 7.5EG 7.51998-01-01
Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.
- CVE-2000-0497HIGHCVSS 7.5EG 7.52000-06-08
IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.
- CVE-2000-0498HIGHCVSS 7.5EG 7.52000-06-08
Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.
- CVE-2000-0499HIGHCVSS 7.5EG 7.52000-06-08
The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.
- CVE-2001-0766CRITICALCVSS 9.8EG 9.82001-10-18
Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters.
- CVE-2001-0795HIGHCVSS 7.5EG 7.52001-10-18
Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.
- CVE-2001-1238HIGHCVSS 7.8EG 7.82001-07-16
Task Manager in Windows 2000 does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan ho…
- CVE-2002-0485HIGHCVSS 7.5EG 7.52002-08-12
Norton Anti-Virus (NAV) allows remote attackers to bypass content filtering via attachments whose Content-Type and Content-Disposition headers are mixed upper and lower case, which is ignored by some mail clients.
- CVE-2002-1820CRITICALCVSS 9.8EG 9.82002-12-31
register.php in Ultimate PHP Board (UPB) 1.0 and 1.0b uses an administrative account Admin with a capital "A," but allows a remote attacker to impersonate the administrator by registering an account name of admin with a lower case "a."
- CVE-2002-2119CRITICALCVSS 9.8EG 9.82002-12-31
Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password guessing.
- CVE-2003-0411HIGHCVSS 7.5EG 7.52003-06-30
Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase ".JSP" extension instead of the lowercase .jsp extension.
- CVE-2004-1083HIGHCVSS 7.5EG 7.52004-12-03
Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files be…
- CVE-2004-2154CRITICALCVSS 9.8EG 9.82004-12-31
CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the…
- CVE-2004-2214CRITICALCVSS 9.8EG 9.82004-12-31
Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to bypass access restrictions via a URI with mixed case characters.
- CVE-2005-0269CRITICALCVSS 9.8EG 9.82005-05-02
The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.
- CVE-2007-3365HIGHCVSS 7.5EG 7.52007-06-22
MyServer 0.8.9 and earlier does not properly handle uppercase characters in filename extensions, which allows remote attackers to obtain sensitive information (script source code) via a modified extension, as demonstrated by post.mscgI.
- CVE-2018-8337MEDIUMCVSS 5.3EG 5.32018-09-13
A security feature bypass vulnerability exists when Windows Subsystem for Linux improperly handles case sensitivity, aka "Windows Subsystem for Linux Security Feature Bypass Vulnerability." This affects Windows 10, Windows 10 Servers.
- CVE-2018-9845CRITICALCVSS 9.8EG 9.82018-04-29
Etherpad Lite before 1.6.4 is exploitable for admin access.
- CVE-2019-6289HIGHCVSS 8.8EG 8.82019-01-15
uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrat…
- CVE-2020-12812CRITICALCVSS 9.8EG 9.8⚠ KEV2020-07-24
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if the…
- CVE-2020-15234MEDIUMCVSS 6.1EG 6.12020-10-02
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite before version 0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared usi…
- CVE-2020-5301LOWCVSS 3.0EG 3.02020-04-21
SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module controller in `SimpleSAML\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and proce…
- CVE-2021-0973MEDIUMCVSS 5.0EG 5.02021-12-15
In isFileUri of UriUtil.java, there is a possible way to bypass ignoring file://URI attachment due to improper handling of case sensitivity. This could lead to local information disclosure with no additional execution privileges needed. Us…
- CVE-2021-24347HIGHCVSS 8.8EG 8.82021-06-14
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file …
- CVE-2021-25036HIGHCVSS 8.8EG 8.82022-01-17
The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they sh…
- CVE-2021-25920MEDIUMCVSS 6.5EG 6.52021-03-22
In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious user able to read and send sensitive messages on behalf of the victim user.
- CVE-2021-28323MEDIUMCVSS 6.5EG 6.52021-04-13
Windows DNS Information Disclosure Vulnerability
- CVE-2021-39134HIGHCVSS 8.2EG 8.22021-08-31
`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of pac…
- CVE-2021-39155HIGHCVSS 8.3EG 8.32021-08-24
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html…
- CVE-2021-45893HIGHCVSS 7.5EG 7.52022-04-05
An issue was discovered in Softwarebuero Zauner ARC 4.2.0.4. There is Improper Handling of Case Sensitivity, which makes password guessing easier.
- CVE-2022-22968MEDIUMCVSS 5.3EG 5.32022-04-14
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with bot…
- CVE-2022-29604CRITICALCVSS 9.8EG 9.82023-04-20
An issue was discovered in ONOS 2.5.1. An intent with an uppercase letter in a device ID shows the CORRUPT state, which is misleading to a network operator. Improper handling of case sensitivity causes inconsistency between intent and flow…
- CVE-2023-3545CRITICALCVSS 9.8EG 9.82023-11-28
Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uplo…
- CVE-2023-46218MEDIUMCVSS 6.5EG 6.52023-12-07
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrel…
- CVE-2023-4759HIGHCVSS 8.8EG 8.82023-09-12
Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when …
- CVE-2024-23331HIGHCVSS 7.5EG 7.52024-01-19
Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. T…
- CVE-2024-32879MEDIUMCVSS 4.9EG 4.92024-04-24
Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cau…
- CVE-2024-38820LOWCVSS 3.1EG 3.12024-10-18
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
- CVE-2024-38829LOWCVSS 3.7EG 3.72024-12-04
A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions pri…
- CVE-2024-55634HIGHCVSS 8.1EG 8.12024-12-10
A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
- CVE-2024-5699CRITICALCVSS 9.8EG 9.82024-06-11
In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be checked with a case-insensitive comparison. This could have resulted in the browser not correctly h…
- CVE-2024-6866HIGHCVSS 7.5EG 7.52025-03-20
corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch becaus…
- CVE-2025-27636MEDIUMCVSS 5.6EG 5.62025-03-09
Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to u…
- CVE-2025-4035MEDIUMCVSS 4.3EG 4.32025-04-29
A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffi…
- CVE-2025-46701HIGHCVSS 7.3EG 7.32025-05-29
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apach…
- CVE-2025-50864MEDIUMCVSS 6.5EG 6.52025-08-20
An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any do…
- CVE-2025-59944HIGHCVSS 8.0EG 8.02025-10-03
Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., */.cursor/mcp.json), which allows attackers to modify the content of t…
- CVE-2025-61593HIGHCVSS 8.8EG 7.12025-10-03
Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI Agent protects its sensitive files (i.e. */.cursor/cli.json) allows attackers to modify the content of the files throug…
- CVE-2025-67718HIGHCVSS 8.7EG 8.72025-12-11
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a cra…
- CVE-2026-14617LOWCVSS 3.1EG 3.12026-07-03
A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer._filter_and_accumulate of the file gateway/stream_consumer.py of the component Streaming Reasoning Tag …
Map vulnerabilities like CWE-178 to your infrastructure
EchelonGraph correlates every CVE — across CWE-178 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →