CVE-2026-40560 Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An...

CVE-2026-40560

CVE-2026-40560 affects Starman for Perl prior to 0.4018. The vulnerability arises from improper header precedence: when both Content-Length and Transfer-Encoding: chunked are present, Starman incorrectly prioritizes Content-Length instead of the Transfer-Encoding rule, violating RFC 7230 section ...

CVE-2026-40560

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An...

CVE-2026-40560

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An...

EUVD-2026-26189

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An...

SUSE-SU-2026:21419-1 Security update for openCryptoki

This update for openCryptoki fixes the following issues: - CVE-2026-23893: use of symlinks in group-writable token directories can lead to privilege escalation and data exposure bsc1257116. - CVE-2026-40253: malformed BER-encoded cryptographic objects can lead to information disclosure and denial...

Improper Input Encoding

Axios is vulnerable to Improper Input Encoding. The vulnerability is due to incorrect character mapping in the encode function, where safely percent-encoded null bytes %00 are converted back to raw null bytes, potentially leading to unsafe request data handling in affected usage scenarios...

CVE-2026-5306

The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled...

PT-2026-35863

Name of the Vulnerable Software and Affected Versions Starman versions prior to 0.4018 Description Improper header precedence allows HTTP Request Smuggling. The software incorrectly prioritizes the Content-Length header over Transfer-Encoding: chunked when both are present in an HTTP request, whi...

CVE-2026-41894

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check IsSensitivePath but did not address the root cause — a redundant url.PathUnescape call in serveExport. An authenticated attacker can use double URL encoding...

SUSE-SU-2026:21455-1 Security update for openCryptoki

This update for openCryptoki fixes the following issues: - CVE-2026-23893: use of symlinks in group-writable token directories can lead to privilege escalation and data exposure bsc1257116. - CVE-2026-40253: malformed BER-encoded cryptographic objects can lead to information disclosure and denial...

xss

CSS Style Sheet Mutation alert"This is a test" alert"...

CVE-2026-40048

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of .key files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair is evaluated only after readObject has...

WebFileSys 安全漏洞

WebFileSys is a web-based multi-user file manager developed by WebFileSys Inc. in Java. Version 2.31.1 of WebFileSys contains a security vulnerability, which stems from improperly encoded user-controlled inputs. This vulnerability could lead to reflection-type cross-site scripting attacks...

Linux Distros Unpatched Vulnerability : CVE-2026-33662

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OP-TEE is a Trusted Execution Environment TEE designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology...

python-ecdsa DER Parser Security Test Suite

This Python script is a security test and validation suite for the python-ecdsa library, focused on detecting potential DER Distinguished Encoding Rules parsing anomalies that may relate to CVE-2026-33936...

Linux Distros Unpatched Vulnerability : CVE-2026-42040

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contain...

CVE-2026-29971

WebFileSys CVE-2026-29971: A reflected XSS in version 2.31.1 (pre-2.32.0) where user-controlled input is reflected into HTML/JavaScript without proper encoding, enabling arbitrary JavaScript execution in the victim’s browser via components such as ftpBackup, authentication input handling, search,...

CVE-2026-29971

A reflected cross-site scripting XSS vulnerability exists in WebFileSys version before 2.32.0 and fixed in v.2.32.0. User-controlled input is reflected into HTML and JavaScript contexts without proper output encoding, allowing arbitrary JavaScript execution in the victim's browser via the ftpBack...

PT-2026-35369

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of .key files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair is evaluated only after readObject has...