@hexmortem.com on Bluesky

JavaScript RequiredThis is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is. Learn more about Bluesky at bsky.social and atproto.com.

Post

Hexmortem Labs

hexmortem.com

did:plc:ob77vazfvnsjq74uuutvgzz3

CVE-2026-41248 — Clerk middleware bypass. Middleware tests the raw URL; framework router decodes before dispatch. /api/%61dmin/users → middleware reads "%61dmin", PASS. Handler reads "admin", runs unauthenticated. Affected: @clerk/shared ≤ 3.47.3 (nextjs/nuxt/astro). Fixed b0b6675bad.

2026-05-01T09:32:44.371Z