MiracleLinux 7 : java-1.8.0-openjdk-1.8.0.161-0.b14.el7 (AXSA:2018-2516:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2018-2516:01 advisory. Multiple flaws were found in the Hotspot and AWT components of OpenJDK. An untrusted Java application or applet could use these flaws to bypass...

CVE-2026-23527

H3 is a minimal HTTP framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this heade...

GHSA-MP2G-9VG9-F4CG h3 v1 has Request Smuggling (TE.TE) issue

I was digging into h3 v1 specifically v1.15.4 and found a critical HTTP Request Smuggling vulnerability. Basically, readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. The...

h3 v1 has Request Smuggling (TE.TE) issue

I was digging into h3 v1 specifically v1.15.4 and found a critical HTTP Request Smuggling vulnerability. Basically, readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. The...

HTTP Request Smuggling

Overview org.webjars.npm:h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to HTTP Request Smuggling via improper parsing of the Transfer-Encoding header in the readRawBody function. An attacker can bypass security controls...

CVE-2026-23527 Request Smuggling (TE.TE) in h3 v1

H3 is a minimal HTTP framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this heade...

CVE-2026-23527 h3 v1 has Request Smuggling (TE.TE) issue

H3 is a minimal HTTP framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this heade...

EUVD-2026-2737

H3 is a minimal HTTP framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this heade...

CVE-2026-23527

CVE-2026-23527 affects the h3 HTTP framework (pre-1.15.5). The vulnerability is in readRawBody, which performs a strict case-sensitive check for the Transfer-Encoding header and looks for the literal value “chunked.” Because RFC requires case-insensitive handling, an attacker can craft a request ...

HTTP Request Smuggling

Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to HTTP Request Smuggling via improper parsing of the Transfer-Encoding header in the readRawBody function. An attacker can bypass security controls and poison web...

CVE-2026-23527 h3 v1 has Request Smuggling (TE.TE) issue

H3 is a minimal HTTP framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this heade...

CVE-2025-56226

A flaw was found in the libsndfile library. This issue occurs when encoding MP3 files. During initialization, when an unsupported sample rate is detected, encoding resources are not released within the error-handling path due to an incomplete initialization, impacting system performance and...

PT-2026-3098

Name of the Vulnerable Software and Affected Versions H3 versions prior to 1.15.5 Description H3 is a minimal HTTP framework designed for high performance and portability. A critical HTTP Request Smuggling issue exists due to a case-sensitive check for the 'Transfer-Encoding' header within the...

H3 Environmental Issues and Vulnerabilities

H3 is an open-source HTTP framework developed by H3. Versions prior to H3 1.15.5 contained an environmental issue vulnerability. This vulnerability stemmed from the strict case-sensitive handling of the Transfer-Encoding header, which could lead to HTTP request payload attacks...

GHSA-G9MF-H72J-4RW9 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Impact The fetch API supports chained HTTP encoding algorithms for response content according to RFC 9110 e.g., Content-Encoding: gzip, br. This is also supported by the undici decompress interceptor. However, the number of links in the decompression chain is unbounded and the default maxHeaderSi...

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Impact The fetch API supports chained HTTP encoding algorithms for response content according to RFC 9110 e.g., Content-Encoding: gzip, br. This is also supported by the undici decompress interceptor. However, the number of links in the decompression chain is unbounded and the default maxHeaderSi...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the decompression chain. An attacker can cause high CPU usage and excessive memory allocation by...

Allocation of Resources Without Limits or Throttling

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the decompression chain. An attacker can cause high CPU usage and excessive memory allocation by sending HTTP...

CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...

CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...