23 matches found
EulerOS 2.0 SP13 : busybox (EulerOS-SA-2026-2324)
According to the versions of the busybox packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : BusyBox wget thru 1.3.7 accepted raw CR 0x0D/LF 0x0A and other C0 control bytes in the HTTP request- target path/query, allowing the request line...
SUSE-SU-2026:21823-1 Security update for nginx
This update for nginx fixes the following issues: - CVE-2026-1642: plain text data injection into the response from an upstream proxied server bsc1257675. - CVE-2026-27654: buffer overflow in the NGINX worker process via the ngxhttpdavmodule module bsc1260416. - CVE-2026-27784: NGINX worker memor...
python: Fix of 4 CVEs
CVE-2019-9740: reject control characters in HTTP URL paths in httplib.HTTPConnection.putrequest to prevent CRLF header injection - CVE-2019-18348: reject control characters in hostnames in httplib.HTTPConnection.init via a new validatehost helper to prevent CRLF header injection the glibc...
CVE-2026-43870
Apache Thrift (before 0.23.0) contains multiple issues: Origin Validation Error, Path Traversal (improper limitation of a pathname to a restricted directory), HTTP header CRLF-related splitting, and uncontrolled resource consumption. Upgrade to 0.23.0 to fix. Exploitation status is not provided i...
security-advisories
Security Advisories Public write-ups and PoCs for CVEs I've d...
PT-2026-30675
Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME...
Important: nodejs22
Issue Overview: Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted:...
Linux Distros Unpatched Vulnerability : CVE-2026-1536
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF Carriage Return Line Feed sequences into t...
Fedora 43 : cpp-httplib (2026-e50e41fcea)
The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-e50e41fcea advisory. Update to 0.30.1 - Denial of service DOS using zip bomb CVE-2026-22776 - CRLF injection in http headers CVE-2026-21428 - Untrusted HTTP Header...
Fedora 42 : cpp-httplib (2026-3b0e5b457d)
The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-3b0e5b457d advisory. Update to 0.30.1 - Denial of service DOS using zip bomb CVE-2026-22776 - CRLF injection in http headers CVE-2026-21428 - Untrusted HTTP Header...
RockyLinux 9 : nodejs:18 (RLSA-2023:2654)
The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:2654 advisory. glob-parent: Regular Expression Denial of Service CVE-2021-35065 c-ares: buffer overflow in configsortlist due to missing string length check CVE-2022-49...
CVE-2025-61689
CVE-2025-61689 affects the Julia HTTP client/server library HTTP.jl. Prior to version 1.10.19, it failed to validate illegal characters in header names/values, enabling CRLF-based header injection and response splitting. Reported impact includes cache poisoning, XSS, and session fixation. The iss...
Linux Distros Unpatched Vulnerability : CVE-2022-31150
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than...
CVE-2025-57804
CVE-2025-57804 affects the Python package h2 (HTTP/2 protocol stack). Prior to version 4.3.0, it allows HTTP/2 request splitting via CRLF injection in headers when servers downgrade HTTP/2 requests to HTTP/1.1 without validating header names/values. This can enable attackers to manipulate request...
Mozilla: Security bug https://bugzilla.mozilla.org/oauth/authorize - CRLF Header injection via "redirect_uri" parameter
A cross-site scripting vulnerability was found in the "redirecturi" parameter of the OAuth authorization endpoint at https://bugzilla.mozilla.org/oauth/authorize that allowed arbitrary HTTP response headers to be injected through carriage return and line feed encoding in the parameter value,...
PT-2023-6702 · Tp Link · Tp-Link Tapo C100
Name of the Vulnerable Software and Affected Versions: TP-Link Tapo C100 versions 1.1.15 Build 211130 Rel.15378n4555 and before Description: The issue is related to the HTTP service of the TP-Link Tapo C100 IP camera's firmware, specifically with the handling of CRLF sequences in HTTP headers. Th...
The vulnerability of the mod_proxy module in the Apache HTTP Server allows attackers to perform attacks that involve splitting HTTP responses.
The vulnerability of the modproxy module in the Apache HTTP Server is related to the failure to handle CRLF sequences in HTTP headers. Exploiting this vulnerability allows a remote attacker to perform attacks that involve splitting HTTP responses...
The vulnerability of the Ceph storage system, related to the failure to handle CRLF sequences in HTTP headers, allows attackers to inject arbitrary HTTP headers.
The vulnerability of the Ceph storage system is related to the failure to handle CRLF sequences in HTTP headers. Exploiting this vulnerability allows a malicious actor to inject arbitrary HTTP headers, such as Set-Cookie, in order to install arbitrary cookie files...
The vulnerability of the McAfee VirusScan Enterprise anti-virus software allows a hacker to obtain confidential information.
The vulnerability of the McAfee VirusScan Enterprise antivirus software arises from the failure to handle CRLF sequences in headers properly. Exploiting this vulnerability can allow a remote attacker to obtain confidential information...
DEBIAN-CVE-2016-5699
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython aka Python before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL...