44 matches found
libcurl 7.46.0 < 8.21.0 Super Cookie PSL Bypass (CVE-2026-8924)
The version of libcurl installed on the remote host is 7.46.0 prior to 8.21.0. It is, therefore, affected by a cookie injection vulnerability: - A flaw in curl's cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an...
CVE-2026-8924
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...
CVE-2026-55688
The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without...
CVE-2026-55688 AsyncHttpClient: Cookie stored for an unrelated domain (cookie tossing) via ThreadSafeCookieStore
The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without...
UBUNTU-CVE-2026-8924
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...
CURL-CVE-2026-8924 trailing dot domain super cookie
A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set "super cookies" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...
CVE-2026-55767
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::valida...
CVE-2026-54279 AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. This vulnerability is fixed in 3.14.1...
CVE-2026-54279
CVE-2026-54279 affects the aiohttp library (Python asyncio framework). Prior to version 3.14.1, host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() may lose their host-only status, effectively becoming domain cookies. The issue is fixed in aiohttp 3.14.1. Affect...
GHSA-2FQR-MR3J-6WP8 aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
Summary Host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed. ----- Patch:...
aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
Summary Host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed. ----- Patch:...
Astra Linux – Vulnerability in Firefox and Thunderbird
When the number of cookies per domain was exceeded in document.cookie, the actual cookie jar sent to the host was no longer consistent with the expected state of the cookie jar. This could result in requests being sent with some cookies missing. This vulnerability affects Firefox 116, Firefox ESR...
GHSA-GMFG-3V4Q-9QR4 Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
Impact Official Weighted Severity Rating: Low This exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, any other value other than unconfigured should be very carefully evaluated regardles...
PT-2026-27623
Name of the Vulnerable Software and Affected Versions Authelia versions 4.39.15 Description Authelia is an open-source authentication and authorization server. An attacker may potentially be able to inject javascript into the Authelia login page if specific conditions are met, including...
curl: Public-suffix cookie injection when libpsl is disabled
Summary: When libcurl is built without libpsl, Domain attribute validation accepts public suffixes like .co.uk, allowing a malicious host to plant cookies that are later sent to unrelated sibling domains using the same cookie jar. AI assistance was used to draft this report. Steps to Reproduce: 1...
EUVD-2025-14754
Malicious code in bioql PyPI...
CVE-2025-31491 AutoGPT allows leakage of cross-domain cookies and protected headers in requests redirect
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows of leakage of cross-domain cookies and protected headers in requests redirect. AutoGPT uses a wrapper around the requests...
CVE-2025-31491 AutoGPT allows leakage of cross-domain cookies and protected headers in requests redirect
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows of leakage of cross-domain cookies and protected headers in requests redirect. AutoGPT uses a wrapper around the requests...
AutoGPT 信息泄露漏洞
AutoGPT is a tool from AutoGPT Open Source. Used to enable everyone to use and build accessible AI. An information disclosure vulnerability exists in versions of AutoGPT prior to 0.6.1 that stems from the presence of cross-domain cookies and protected header disclosure in request redirects...
PT-2024-40303 · Artax · Artax
Name of the Vulnerable Software and Affected Versions: artax versions prior to 1.0.6 artax versions 2 prior to 2.0.6 Description: The issue allowed cookies of foo.bar.example.com to be leaked to foo.bar. Furthermore, any site could set cookies for any other site. This was resolved by artax...