74 matches found
Medium: credentials-fetcher
Issue Overview: A denial of service vulnerability GHSA-XMRV-PMRH-HHX2 was found in the bundled AWS SDK for Go v2 EventStream decoder used by credentials-fetcher. An attacker who can inject a malformed EventStream response frame with a crafted header value type byte outside the valid range can cau...
CVE-2026-34091 User localization leaked by AbuseFilter + EventStream
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from before 1.43.7, 1.44.4, 1.45.2...
openSUSE 16 Security Update : aws-c-event-stream (openSUSE-SU-2026:20477-1)
The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20477-1 advisory. Changes in aws-c-event-stream: - CVE-2026-5190: Fixed a out-of-bounds write caused by crafted event-stream messages bsc1261298 Tenable has extracted the...
OPENSUSE-SU-2026:10512-1 aws-c-event-stream-devel-0.7.0-1.1 on GA media
These are all security issues fixed in the aws-c-event-stream-devel-0.7.0-1.1 package on the GA media of openSUSE Tumbleweed...
Security update for aws-c-event-stream (important)
openSUSE security update: security update for aws-c-event-stream ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20477-1 Rating: important References: bsc1261298 Cross-References: CVE-2026-5190 Affected Products: openSUSE Leap 16.0...
OPENSUSE-SU-2026:20477-1 Security update for aws-c-event-stream
This update for aws-c-event-stream fixes the following issues: Changes in aws-c-event-stream: - CVE-2026-5190: Fixed a out-of-bounds write caused by crafted event-stream messages bsc1261298...
GHSA-XMRV-PMRH-HHX2 Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder
CVSSv3.1 Rating: Medium CVSSv3.1 Score: 5.9 CVSSv3.1 Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Summary and Impact An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating 2026-03-23. An actor can send a malformed EventStream response frame...
SUSE CVE-2026-5190
Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, user...
Out-of-bounds Write
Overview Affected versions of this package are vulnerable to Out-of-bounds Write while decoding header names. An attacker can achieve memory corruption and potentially execute arbitrary code by sending specially crafted event-stream messages to a client application. Remediation A fix was pushed...
CVE-2026-5190 AWS C Event Stream Streaming Decoder Stack Buffer Overflow
Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, user...
CVE-2026-5190 AWS C Event Stream Streaming Decoder Stack Buffer Overflow
Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, user...
CVE-2026-5190
Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, user...
CVE-2026-5190
The CVE-2026-5190 entry concerns aws-c-event-stream’s streaming decoder, where an out-of-bounds write prior to version 0.6.0 can allow memory corruption and potentially arbitrary code execution on a client application that processes crafted event-stream messages. Affected component: streaming dec...
EUVD-2026-17575
Out-of-bounds write in the streaming decoder component in aws-c-event-stream before 0.6.0 might allow a third party operating a server to cause memory corruption leading to arbitrary code execution on a client application that processes crafted event-stream messages. To remediate this issue, user...
aws-c-event-stream 安全漏洞
aws-c-event-stream is a C language implementation library for the event stream protocol, open-sourced by Amazon Web Services - Labs. Versions of aws-c-event-stream prior to 0.6.0 contain security vulnerabilities. These vulnerabilities stem from out-of-bounds writing in the stream decoder componen...
CRLF Injection
Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to CRLF Injection via unsanitized carriage return characters in the data and comment fields of the EventStream class. An attacker can inject arbitrary server-sent...
CRLF Injection
Overview org.webjars.npm:h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to CRLF Injection via unsanitized carriage return characters in the data and comment fields of the EventStream class. An attacker can inject arbitra...
CVE-2026-33128
A flaw was found in H3, a minimal HTTP framework. A remote attacker can exploit this flaw by injecting malicious Server-Sent Events SSE due to improper sanitization of newline characters in the formatEventStreamMessage and formatEventStreamComment functions. An attacker who controls any part of a...
CVE-2026-33128
H3 is a minimal HTTP framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events SSE injection due to missing newline sanitization in formatEventStreamMessage and formatEventStreamComment. An attacker who controls any part of...
CVE-2026-33128 h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
H3 is a minimal HTTP framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events SSE injection due to missing newline sanitization in formatEventStreamMessage and formatEventStreamComment. An attacker who controls any part of...