urllib3: urllib3 Streaming API improperly handles highly compressed data

A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header e.g., gzip, deflate, br, or zstd. The library must read compressed data from the network and decompress it...

urllib3: urllib3 Streaming API improperly handles highly compressed data

A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header e.g., gzip, deflate, br, or zstd. The library must read compressed data from the network and decompress it...

urllib3: urllib3 Streaming API improperly handles highly compressed data

A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header e.g., gzip, deflate, br, or zstd. The library must read compressed data from the network and decompress it...

PT-2026-5714

Name of the Vulnerable Software and Affected Versions FacturaScripts versions 2025.71 and earlier Description FacturaScripts software contains a Stored Cross-Site Scripting XSS flaw within the Observations field in the History view. The application fails to properly encode HTML entities when...

EulerOS 2.0 SP13 : golang (EulerOS-SA-2026-1209)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse...

Linux Distros Unpatched Vulnerability : CVE-2026-1760

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding:...

FacturaScripts 跨站脚本漏洞

FacturaScripts is an open-source ERP software developed by Carlos Garcia, a Spanish developer. Versions of FacturaScripts prior to 2025.71 contained a cross-site scripting vulnerability. This vulnerability occurred due to improper HTML entity encoding during the rendering of historical data in th...

SUSE-SU-2026:0355-1 Security update for glib2

This update for glib2 fixes the following issues: - CVE-2026-1485: Fixed buffer underflow and out-of-bounds access due to integer wraparound in content type parsing bsc1257354. - CVE-2026-1484: Fixed buffer underflow and out-of-bounds access due to miscalculated buffer boundaries in the Base64...

EulerOS Virtualization 2.10.1 : python3 (EulerOS-SA-2026-1141)

According to the versions of the python3 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : There is a defect in the CPython 'tarfile' module affecting the 'TarFile' extraction and entry enumeration APIs. The tar...

EulerOS Virtualization 2.10.1 : gnutls (EulerOS-SA-2026-1118)

According to the versions of the gnutls packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of...

CLEANSTART-2026-PG91940 net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines

Multiple security vulnerabilities affect the harbor-registry package. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. See references for individual vulnerability details...

OESA-2026-1274 expat security update

expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial. Security Fixes: In libexpat before 2.7.4, XMLExternalEntityParserCreate does not copy unknown encoding handler user data.CVE-2026-24515...

OESA-2026-1272 expat security update

expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial. Security Fixes: In libexpat before 2.7.4, XMLExternalEntityParserCreate does not copy unknown encoding handler user data.CVE-2026-24515...

CVE-2025-63649

An out-of-bounds read in the httpparsertransferencodingchunked function mkserver/mkhttpparser.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted POST request to the server...

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: weldr-client (UTSA-2026-005216)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005216 advisory. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is us...

CVE-2026-25067

SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows U...

CVE-2025-63649

An out-of-bounds read in the httpparsertransferencodingchunked function mkserver/mkhttpparser.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted POST request to the server...

📄 OpenSSL 3.x ASN.1 AES‑GCM Nonce Stack Corruption

This Metasploit auxiliary module generates a specially crafted CMS file encoded in DER format to test a stack-based buffer overflow vulnerability in OpenSSL's ASN.1 parser related to improper handling of oversized AES-GCM nonce IV values within AES-GCM-Parameters as defined in RFC 5084. The...

zeek -- potential DoS vulnerability

Tim Wojtulewicz of Corelight reports: Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or Content-Length headers set in MIME entities within HTTP bodies and change the analyzer behavior...

CVE-2025-63649

An out-of-bounds read in the httpparsertransferencodingchunked function mkserver/mkhttpparser.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted POST request to the server...