Allocation of Resources Without Limits or Throttling

Overview org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the GzipHandler process when handling a compressed HTTP request with...

CVE-2026-1605

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing t...

CVE-2026-1605

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing t...

Improper Handling of URL Encoding (Hex Encoding)

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding via inconsistent URL decoding between the serveStatic process and route-based middleware protections. An attacker can access protected stati...

Duplicate Advisory: HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hj7x-879w-vrp7. This link is maintained to preserve external references. Original Description An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding...

GHSA-262P-VJX5-45XH Duplicate Advisory: HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hj7x-879w-vrp7. This link is maintained to preserve external references. Original Description An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding...

CVE-2026-2835

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

SUSE SLES12 Security Update : postgresql18 (SUSE-SU-2026:0785-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2026:0785-1 advisory. This update for postgresql18 fixes the following issue: Update to version 18.3 bsc1258754. Regression fixes: - the substring function raises an error...

Pingora 安全漏洞

Pingora is a library open sourced by Cloudflare, used to build fast, reliable, and scalable network services. Prior to Pingora v0.8.0, there were security vulnerabilities. These vulnerabilities stemmed from the use of HTTP request interception techniques when parsing HTTP/1.0 and Transfer-Encodin...

CVE-2026-2835 HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

CVE-2026-2835

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

CVE-2026-2835

Pingora contains an HTTP Request Smuggling (CWE-444) flaw in its parsing of HTTP/1.0 bodies and multiple Transfer-Encoding values, which can desynchronize request framing and allow a frontend proxy to bypass ACLs, poison caches, and enable cross-user attacks when Fronting certain backends. Cloudf...

CVE-2026-2835 HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification via the ContentReader process when handling requests with Content-Encoding: gzip. An attacker can cause excessive resource consumption by sending a small compressed payload...

CVE-2026-28435

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib httplib.h does not enforce Server::setpayloadmaxlength on the decompressed request body when using HandlerWithContentReader streaming ContentReader with Content-Encoding: gzip or other...

DEBIAN-CVE-2026-28435

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib httplib.h does not enforce Server::setpayloadmaxlength on the decompressed request body when using HandlerWithContentReader streaming ContentReader with Content-Encoding: gzip or other...

CVE-2026-28435

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib httplib.h does not enforce Server::setpayloadmaxlength on the decompressed request body when using HandlerWithContentReader streaming ContentReader with Content-Encoding: gzip or other...

UBUNTU-CVE-2026-28435

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib httplib.h does not enforce Server::setpayloadmaxlength on the decompressed request body when using HandlerWithContentReader streaming ContentReader with Content-Encoding: gzip or other...

Improper Handling of URL Encoding (Hex Encoding)

Overview @hono/node-server is a Node.js Adapter for Hono Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding via inconsistent URL decoding between the serveStatic process and route-based middleware protections. An attacker can access protected static...

EUVD-2026-9496

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib httplib.h does not enforce Server::setpayloadmaxlength on the decompressed request body when using HandlerWithContentReader streaming ContentReader with Content-Encoding: gzip or other...