GHSA-HJ7X-879W-VRP7 Pingora has HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

Impact Pingora versions prior to 0.8.0 improperly allowed HTTP/1.0 request bodies to be close-delimited and incorrectly handled multiple Transfer-Encoding values. This allows an attacker to desync Pingora's request framing from backend servers and smuggle requests to the backend. This vulnerabili...

CVE-2026-2835

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

CVE-2026-2835

creationtimestamp| type| source ---|---|--- 2026-03-04 23:55:38+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mgbibcch662u 2026-03-05 00:00:42+00:00| seen| https://infosec.exchange/users/offseq/statuses/116173625220062897 2026-03-05 00:00:48+00:00| seen|...

CVE-2026-2835 HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

bws-web-server (>=0.1.0 <=0.1.1), pingora (>=0.1.0 <=0.6.0) +6 more potentially affected by CVE-2026-2835 via pingora-core (>=0.1.1 <=0.6.0)

pingora-core CARGO version =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.7 - revoke-gateway =0.3.0 - static-files-module =0.1.0 Source cves: CVE-2026-2835 Source advisory: OSV:RUSTSEC-2026-0034...

EUVD-2026-2835

Not used...

CVE-2019-2835

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware subcomponent: Outside In Filters. The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In...

CVE-2022-2835 vulnerabilities

Vulnerabilities for packages: juicefs...

CVE-2023-2835

The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2013-2835

Google Chrome OS before 26.0.1410.57 does not properly enforce origin restrictions for the O3D and Google Talk plug-ins, which allows remote attackers to bypass the domain-whitelist protection mechanism via a crafted web site, a different vulnerability than CVE-2013-2834...

Advisory ROSA-SA-2025-2835

Software: bind-dyndb-ldap 11.6 OS: ROSA Virtualization 2.1 packageevrstring: bind-dyndb-ldap-11.6-5.rv3 CVE-ID: CVE-2023-50387 BDU-ID: 2024-01359 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the DNSSEC component of the DNS protocol implementation of the DNS server BIND is related to the algorithm...

CVE-2025-2835

A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched...

CVE-2025-2835

creationtimestamp| type| source ---|---|--- 2025-03-27 04:26:00+00:00| published-proof-of-concept| https://t.me/DarkWebInformerCVEAlerts/9015 2025-03-27 06:37:18+00:00| seen| https://t.me/cvedetector/21260...

CVE-2025-2835

A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched...

CVE-2025-2835

The CVE-2025-2835 entry concerns zhangyd-c OneBlog up to version 2.3.9. The vulnerable item is the autoLink function in com/zyd/blog/controller/RestApiController.java, where manipulation can trigger server-side request forgery (SSRF). The issue allows remote exploitation, and public disclosures e...

CVE-2025-2835 zhangyd-c OneBlog RestApiController.java autoLink server-side request forgery

A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched...

CVE-2025-2835 zhangyd-c OneBlog RestApiController.java autoLink server-side request forgery

A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched...

Security Bulletin: IBM Storage Protect Server is susceptible to multiple authentication related vulnerabilities due to coreDNS (CVE-2022-2837, CVE-2022-2835, CVE-2024-0874).

Summary The IBM Storage Protect Server is susceptible to authentication-related vulnerabilities linked to coreDNS. These vulnerabilities may allow authenticated attacker to bypass security restrictions. Vulnerability Details CVEID:CVE-2022-2837 DESCRIPTION: coreDNS could allow a remote...

CGA-R665-2835-4PC9

Bulletin has no description...

RHEL 7 : freerdp (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - freerdp: Out-of-bounds write in rdprecvtpktpdu CVE-2017-2835 - FreeRDP before 1.1.0-beta1 allows remote...