Lucene search
K

3403 matches found

NVD
NVD
โ€ขadded yesterdayโ€ข7 views

CVE-2026-12127

The WPForms โ€“ Easy Form Builder for WordPress โ€“ Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences 'CRLF Injection' in all versions up to, and including, 1.10.2 This is due to getreplytoaddress processing the Reply-To...

5.3CVSS0.00343EPSS
Exploits0References11
CVE
CVE
โ€ขadded yesterdayโ€ข6 views

CVE-2026-12127

WPForms โ€“ Easy Form Builder for WordPress (WordPress plugin WPForms Lite) versions up to 1.10.2 are vulnerable to CRLF header injection in outgoing notification emails. The root cause is improper neutralization of CRLF sequences: get_reply_to_address() expands the Reply-To display name with conte...

5.3CVSS5.9AI score0.00343EPSS
Exploits0References11
EUVD
EUVD
โ€ขadded yesterdayโ€ข5 views

EUVD-2026-40907

The WPForms โ€“ Easy Form Builder for WordPress โ€“ Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences 'CRLF Injection' in all versions up to, and including, 1.10.2 This is due to getreplytoaddress processing the Reply-To...

5.3CVSS5.9AI score0.00343EPSS
Exploits0References11
Nuclei
Nuclei
โ€ขadded yesterdayโ€ข78 views

Sercomm VD625 Smart Modems - CRLF Injection

Sercomm AGCOMBO VD625 Smart Modems with firmware version AGSOT2.1.0 are vulnerable to Carriage Return Line Feed CRLF injection via the Content-Disposition header. id: CVE-2021-27132 info: name: Sercomm VD625 Smart Modems - CRLF Injection author: geeknik severity: critical description: Sercomm...

9.8CVSS7.3AI score0.16687EPSS
Exploits1References5
Nuclei
Nuclei
โ€ขadded 2 days agoโ€ข101 views

Kerio Control v9.2.5 - CRLF Injection

Kerio Control, formerly known as Kerio WinRoute Firewall, has been found vulnerable to multiple HTTP Response Splitting vulnerabilities in product affecting versions 9.2.5 id: CVE-2024-52875 info: name: Kerio Control v9.2.5 - CRLF Injection author: ritikchaddha,iamnoooob,rootxharsh,pdresearch...

8.8CVSS7.5AI score0.29116EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
โ€ขadded 3 days agoโ€ข5 views

Linux Distros Unpatched Vulnerability : CVE-2026-47240

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw data...

5.8CVSS6AI score0.00491EPSS
Exploits0References3
EUVD
EUVD
โ€ขadded 6 days agoโ€ข11 views

EUVD-2026-31690

Hackney has CRLF / header injection in WebSocket upgrade request...

7.5CVSS5.8AI score0.00506EPSS
Exploits1References5
EUVD
EUVD
โ€ขadded 6 days agoโ€ข11 views

EUVD-2026-31683

Hackney has CRLF / header injection via unvalidated domain and path options...

5.3CVSS5.8AI score0.00374EPSS
Exploits1References5
CVE
CVE
โ€ขadded 2026/06/23 3:7 p.m.โ€ข11 views

CVE-2026-55766

Summary (CVE-2026-55766): guzzlehttp/psr7 (PHP) before 2.12.1 is vulnerable to CRLF injection in the HTTP start-line fields (method, protocol version, reason phrase) when attacker-controlled data ends up in those fields and the message is serialized or forwarded. The flaw requires the malformed m...

4.8CVSS5.8AI score0.00158EPSS
Exploits0References1Affected Software1
OSV
OSV
โ€ขadded 2026/06/23 12:59 p.m.โ€ข6 views

JLSEC-2026-619 CR/LF injection in server-sent events (SSE) fields in HTTP.jl

Description The server-side SSE serializer wrote the single-line fields event, id, and retry verbatim to the text/event-stream wire with no CR/LF filtering, and split the multi-line data field only on \n, ignoring a bare \r that is also a valid SSE line terminator. The SSEEvent constructor...

6AI score
Exploits0References2
OSV
OSV
โ€ขadded 2026/06/23 12:59 p.m.โ€ข5 views

JLSEC-2026-616 HTTP/1 client request smuggling via CR/LF in method, target, or host in HTTP.jl

Description The HTTP/1 client serialized request.method and request.target and, in forward-proxy absolute-form, the host verbatim onto the wire with no CR/LF/CTL filtering; the only target validator was wired solely into the server parse path. A caller passing an attacker-influenced URL or method...

6AI score
Exploits0References2
NVD
NVD
โ€ขadded 2026/06/22 9:16 p.m.โ€ข11 views

CVE-2026-55603

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS0.00243EPSS
Exploits1References1
NVD
NVD
โ€ขadded 2026/06/22 9:16 p.m.โ€ข9 views

CVE-2026-47240

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing...

5.8CVSS0.00491EPSS
Exploits0References1
NVD
NVD
โ€ขadded 2026/06/22 9:16 p.m.โ€ข10 views

CVE-2026-47241

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled inpu...

2.1CVSS0.00239EPSS
Exploits0References1
NVD
NVD
โ€ขadded 2026/06/22 9:16 p.m.โ€ข10 views

CVE-2026-47242

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAPid is called with a hash argument, although the ID field value strings are correctly quoted escaping quoted specials, they were not validated to prohibit CRLF sequence...

5.8CVSS0.00131EPSS
Exploits0References1
CVE
CVE
โ€ขadded 2026/06/22 8:17 p.m.โ€ข38 views

CVE-2026-47240

Summary of CVE-2026-47240 (Net::IMAP, Ruby) : The vulnerability affects Net::IMAPโ€™s IMAP client in Ruby, where several commands accept a โ€œraw dataโ€ argument that is validated but could still be exploited if a server does not support non-synchronizing literals. In that case, a server may interpret...

5.8CVSS6AI score0.00491EPSS
Exploits0References1
Cvelist
Cvelist
โ€ขadded 2026/06/22 8:17 p.m.โ€ข22 views

CVE-2026-47240 Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing...

5.8CVSS0.00491EPSS
Exploits0References1
CVE
CVE
โ€ขadded 2026/06/22 8:11 p.m.โ€ข22 views

CVE-2026-47241

Net::IMAP in Ruby (affected: before 0.6.5 and 0.5.15) validates CRLF but may send a user-controlled raw string verbatim, allowing a subsequent command to be absorbed as a continuation of the first. This can cause the first command to fail and block further responses until another command is issue...

2.1CVSS5.9AI score0.00239EPSS
Exploits0References1
Cvelist
Cvelist
โ€ขadded 2026/06/22 8:7 p.m.โ€ข22 views

CVE-2026-55603 http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS0.00243EPSS
Exploits1References1
Github Security Blog
Github Security Blog
โ€ขadded 2026/06/19 2:35 p.m.โ€ข11 views

guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization

Impact guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x...

4.8CVSS5.8AI score0.00158EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder