CVE-2026-27482: Incomplete Http Method Blocklist
Using a blocklist of HTTP methods (e.g., explicitly matching POST or PUT) to deny requests is prone to omissions. Methods like DELETE or PATCH may be inadvertently allowed, leading to CSRF or unintended modifications from untrusted origins. Use an allowlist of safe methods (e.g., GET, HEAD, OPTIONS) and deny all others instead.
Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0
Python
Pythongreprules fetch cve-2026-27482-incomplete-http-method-blocklist --engine opengrepDescription
Using a blocklist of HTTP methods (e.g., explicitly matching POST or PUT) to deny requests is prone to omissions. Methods like DELETE or PATCH may be inadvertently allowed, leading to CSRF or unintended modifications from untrusted origins. Use an allowlist of safe methods (e.g., GET, HEAD, OPTIONS) and deny all others instead.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0