Lucene search
K

53 matches found

OSV
OSV
added 2026/07/07 10:17 a.m.4 views

PYSEC-2026-920 Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`

Impact When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their...

7.6CVSS6AI score0.00641EPSS
Exploits0References7
NVD
NVD
added 2026/06/23 1:16 p.m.15 views

CVE-2026-56762

Hono before 4.12.12 does not validate cookie names on the write path in the setCookie, serialize, and serializeSigned functions, allowing invalid characters such as control characters e.g. \r or \n when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie...

6.9CVSS0.00247EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/23 12:13 p.m.9 views

CVE-2026-56762 Hono - Missing Cookie Name Validation in setCookie()

Hono before 4.12.12 does not validate cookie names on the write path in the setCookie, serialize, and serializeSigned functions, allowing invalid characters such as control characters e.g. \r or \n when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie...

6.9CVSS5.9AI score0.00247EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 12:13 p.m.15 views

CVE-2026-56762

Hono CVE-2026-56762 affects Hono before 4.12.12, where cookie-name validation is missing on the write path in setCookie(), serialize(), and serializeSigned(). This allows invalid characters (e.g., control chars like \r/\n) in user-controlled cookie names, producing malformed Set-Cookie header val...

6.9CVSS5.9AI score0.00247EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/23 12:13 p.m.12 views

CVE-2026-56762

Hono before 4.12.12 does not validate cookie names on the write path in the setCookie, serialize, and serializeSigned functions, allowing invalid characters such as control characters e.g. \r or \n when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie...

6.9CVSS5.9AI score0.00247EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 12:13 p.m.3 views

CVE-2026-56762 Hono - Missing Cookie Name Validation in setCookie()

Hono before 4.12.12 does not validate cookie names on the write path in the setCookie, serialize, and serializeSigned functions, allowing invalid characters such as control characters e.g. \r or \n when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie...

6.9CVSS6AI score0.00247EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/12 9:58 a.m.33 views

CVE-2026-43969

A flaw was found in cowlib, a library used for handling HTTP cookies. An attacker can exploit this vulnerability by injecting special characters, such as carriage return CR and line feed LF, into cookie names or values due to improper input validation. This allows for HTTP request splitting,...

3.2CVSS5.9AI score0.00145EPSS
Exploits0References2
Veracode
Veracode
added 2026/04/17 10:38 a.m.9 views

Improper Access Control

Hono is vulnerable to Improper Access Control. The vulnerability is due to inconsistent cookie parsing between browsers and the parse function, where differently formatted cookie names may be normalized to the same key, allowing attacker-controlled cookies to override legitimate ones and bypass...

4.8CVSS5.1AI score0.00284EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/08 2:44 p.m.1 views

CVE-2026-39410 Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to th...

4.8CVSS5.9AI score0.00284EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/08 12:17 a.m.5 views

HTTP Response Splitting

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the setCookie function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie...

6.9CVSS5.8AI score
Exploits0References2
OSV
OSV
added 2026/04/08 12:17 a.m.8 views

GHSA-26PP-8WGV-HJVM Hono missing validation of cookie name on write path in setCookie()

Summary Cookie names are not validated on the write path when using setCookie, serialize, or serializeSigned to generate Set-Cookie headers. While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters. This results in inconsistent...

5.3CVSS5.8AI score0.00247EPSS
Exploits0References4
OSV
OSV
added 2026/01/26 2:50 p.m.13 views

BIT-PYTHON-2026-0672 Header injection in http.cookies.Morsel

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS5.9AI score0.00401EPSS
Exploits0References10
OSV
OSV
added 2026/01/26 2:43 p.m.5 views

BIT-LIBPYTHON-2026-0672 Header injection in http.cookies.Morsel

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS5.9AI score0.00401EPSS
Exploits0References10
EUVD
EUVD
added 2026/01/21 12:31 a.m.6 views

EUVD-2026-3521

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS5.4AI score0.00401EPSS
Exploits0References5
OSV
OSV
added 2026/01/20 10:15 p.m.7 views

AZL-75026 CVE-2026-0672 affecting package python3 for versions less than 3.12.9-8

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS5.7AI score0.00401EPSS
Exploits0References1
NVD
NVD
added 2026/01/20 10:15 p.m.4 views

CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS0.00401EPSS
Exploits0References9
OSV
OSV
added 2026/01/20 10:15 p.m.1 views

DEBIAN-CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS5.2AI score0.00401EPSS
Exploits0References1
OSV
OSV
added 2026/01/20 10:15 p.m.5 views

UBUNTU-CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS5.8AI score0.00401EPSS
Exploits0References9
OSV
OSV
added 2026/01/20 9:52 p.m.6 views

PSF-2026-5

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS5.4AI score0.00401EPSS
Exploits0References9
OSV
OSV
added 2026/01/20 9:52 p.m.6 views

CVE-2026-0672 Header injection in http.cookies.Morsel

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

6CVSS7AI score0.00401EPSS
Exploits0References12
Rows per page
Query Builder