1192 matches found
Apache2 - Transfer-Encoding Chunked XSS
Apache2 PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 contain a reflected cross-site scripting vulnerability caused by mishandling of chunked transfer-encoding requests in sapi/apache2handler/sapiapache2.c. Attackers can execute malicious scripts via crafted...
CVE-2026-48946
The K2 frontend article-attachment upload path accepts files whose extension is .php, and Apache's standard modphp matches .php$ and executes them under the K2 web user. A K2 Author can upload a shell.php, then fetch /media/k2/attachments/shell.php and execute arbitrary PHP code in the web...
mod_http2: Apache HTTP Server: HTTP/2 DoS by Memory Increase
A flaw was found in Apache HTTP Server. This late release of memory after effective lifetime vulnerability allows a remote, unauthenticated attacker to cause a denial of service DoS. The vulnerability can lead to resource exhaustion, making the server unavailable to legitimate users...
httpd: NULL pointer dereference via specially crafted request
A flaw was found in the moddavlock module of httpd. This vulnerability allows a remote unauthenticated attacker to crash the server due to a NULL pointer dereference via a specially crafted request...
mod_http2: Apache HTTP Server: HTTP/2 DoS by Memory Increase
A flaw was found in Apache HTTP Server. This late release of memory after effective lifetime vulnerability allows a remote, unauthenticated attacker to cause a denial of service DoS. The vulnerability can lead to resource exhaustion, making the server unavailable to legitimate users...
httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check
A flaw was found in the modproxyajp module of httpd. When processing AJP Apache JServ Protocol messages, the server fails to properly check if a string is null-terminated before attempting to read it, allowing an attacker or a malformed request to cause a heap-based buffer over-read. This issue...
Astra Linux – Vulnerability in Apache2
In some modssl configurations of the Apache HTTP Server, from versions up to 2.4.63, an HTTP desynchronization attack allows a man-in-the-middle attacker to hijack an HTTP session through a TLS upgrade. Only configurations that use “SSLEngine optional” to enable TLS upgrades are affected. Users a...
Astra Linux – Vulnerability in Apache2
An attacker who establishes an HTTP/2 connection with an initial window size of 0 was able to indefinitely block the handling of that connection in Apache HTTP Server. This could be used to exhaust server resources, similar to the well-known “slow loris” attack pattern. This issue has been fixed ...
Astra Linux – Vulnerability in Apache2
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in apstrcmpmatch, especially when an extremely large input buffer is used. Although no code distributed with the server can be forced to make such a call, third-party modules or Lua scripts that us...
Astra Linux – Vulnerability in Apache2
If the Apache HTTP Server 2.4.53 is configured to perform transformations using modsed, especially in contexts where the input to modsed can be very large, modsed may cause excessive memory allocation and trigger an abort...
Astra Linux – Vulnerability in Apache2
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a Lua script that calls r:parsebody0 may cause a denial of service due to the lack of a default limit on the possible input size...
Astra Linux – Vulnerability in Apache2
In the Apache HTTP Server with modproxy loaded, SSRF allows an attacker to send outbound proxy requests to a URL controlled by the attacker. This requires a unusual configuration, where modheaders is used to modify the Content-Type header of the request or response, with a value provided in the...
Astra Linux – Vulnerability in Apache2
Splitting of HTTP responses within the core of the Apache HTTP Server allows attackers who can manipulate the Content-Type response headers of applications hosted or proxied by the server to split the HTTP response. This vulnerability was identified as CVE-2023-38709, but the patch included in...
Astra Linux – Vulnerability in Apache2
There is a vulnerability in the core of the Apache HTTP Server version 2.4.59 and earlier. This vulnerability allows for information disclosure, SSRF attacks, or local script execution through backend applications whose response headers are malicious or exploitable. Users are recommended to upgra...
Astra Linux – Vulnerability in Apache2
Apache HTTP Server versions 2.4.0 to 2.4.46: A specially crafted Digest nonce can cause a stack overflow in modauthdigest. There is no report of this overflow being exploitable, nor can the Apache HTTP Server team have created such a report. However, certain compilers and/or compilation options...
Astra Linux – Vulnerability in Apache2
A regression in Apache HTTP Server 2.4.60 ignores some uses of the legacy content-type-based configuration for handlers. Configurations like “AddType” and similar settings, under certain circumstances where files are requested indirectly, can lead to exposure of local content in the source code...
[SECURITY] [DLA 4629-1] apache2 security update
------------------------------------------------------------------------- Debian LTS Advisory DLA-4629-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès June 12, 2026 https://wiki.debian.org/LTS -...
Debian dla-4629 : apache2 - security update
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4629 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4629-1 [email protected]...
ALSA-2026:25225 Important: mod_http2 security update
The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack CVE-2026-49975 For more details about the security issues, including the impact, a...
BIT-APACHE-2026-44185 Apache HTTP Server: Stack Buffer Over-Read in mod_ssl OCSP `send_request`
Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue...