Lucene search
+L

2505 matches found

RedHat Linux
RedHat Linux
added 2026/04/17 7:24 p.m.3 views

cpython: wsgiref.headers.Headers allows header newline injection in Python

Missing newline filtering has been discovered in Python. User-controlled header names and values containing newlines can allow injecting HTTP headers...

5.9CVSS6.6AI score0.00463EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/04/17 12:0 a.m.17 views

PT-2026-33521

Name of the Vulnerable Software and Affected Versions miniupnpd affected versions not specified Description An integer underflow exists in the parsing of the 'SOAPAction' header. Remote attackers can cause a denial of service or information disclosure by sending a malformed 'SOAPAction' header...

9.1CVSS5.8AI score0.00674EPSS
Exploits0References16
Tenable Nessus
Tenable Nessus
added 2026/04/17 12:0 a.m.7 views

Unity Linux 20.1070a Security Update: pcs (UTSA-2026-007275)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007275 advisory. Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's...

7.5CVSS6.4AI score0.00403EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/04/16 12:0 a.m.7 views

AlmaLinux 8 : nodejs:22 (ALSA-2026:7123)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:7123 advisory. brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547 minimatch: minimatch: Denial of Service via special...

9.8CVSS5.9AI score0.26356EPSS
Exploits2References11
OSV
OSV
added 2026/04/09 12:1 a.m.10 views

RLSA-2026:7123 Important: nodejs:22 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547 minimatch: minimatch: Denial of Service via...

7.5CVSS6.7AI score0.26356EPSS
Exploits2References10
Tenable Nessus
Tenable Nessus
added 2026/04/09 12:0 a.m.9 views

RHEL 10 : nodejs22 (RHSA-2026:7310)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7310 advisory. Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an...

9.8CVSS6.8AI score0.26356EPSS
Exploits2References19
Snyk
Snyk
added 2026/04/07 6:16 p.m.5 views

Allocation of Resources Without Limits or Throttling

Overview github.com/gotenberg/gotenberg/v7/pkg/modules/chromium is a Docker-powered stateless API for PDF files. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the extraHttpHeaders field in the /forms/chromium/screenshot/url endpoint,...

9.8CVSS5.4AI score0.00497EPSS
Exploits1References2
OSV
OSV
added 2026/04/07 6:16 p.m.3 views

GHSA-FMWG-QCQH-M992 Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature

Summary Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely. Details Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns...

8.7CVSS5.8AI score0.00497EPSS
Exploits1References4
GithubExploit
GithubExploit
added 2026/04/07 5:31 p.m.134 views

Exploit for CVE-2026-22732

CVE-2026-22732 Demo Minimal reproduction of CVE-2026-22732...

9.1CVSS6AI score0.0048EPSS
Exploits2
Vulnrichment
Vulnrichment
added 2026/04/07 2:24 p.m.1 views

CVE-2026-35458 Gotenberg has a ReDoS via extraHttpHeaders scope feature

Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely...

8.7CVSS5.9AI score0.00497EPSS
Exploits1References1
OSV
OSV
added 2026/04/07 2:24 p.m.2 views

CVE-2026-35458 Gotenberg has a ReDoS via extraHttpHeaders scope feature

Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely...

8.7CVSS5.9AI score0.00497EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.7 views

PT-2026-30322

Name of the Vulnerable Software and Affected Versions @hapi/content versions through 6.0.0 Description @hapi/content is susceptible to Regular Expression Denial of Service ReDoS through crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition header...

8.7CVSS5.3AI score0.00413EPSS
Exploits0References208
CVE
CVE
added 2026/04/02 5:57 p.m.29 views

CVE-2026-34715

Vulnerability: ewe (Gleam web server) prior to 3.0.6 allows HTTP header injection via encode_headers in src/ewe/internal/encoder.gleam. The function directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF sequences, so user-controlled data (e...

5.3CVSS5.5AI score0.00327EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/01 11:11 p.m.5 views

CVE-2026-34520

A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for Python. The default C parser incorrectly processed null bytes and control characters present in HTTP response headers. This vulnerability could allow a remote attacker to inject malicious data into these headers,...

9.1CVSS5.9AI score0.00461EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/01 10:18 p.m.8 views

ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)

Summary The encodeheaders function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF \r\n sequences. An application that passes user-controlled data into response headers e.g., setting a Location redire...

5.3CVSS6AI score0.00327EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/04/01 10:18 p.m.3 views

GHSA-X2W3-23JR-HRPF ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)

Summary The encodeheaders function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF \r\n sequences. An application that passes user-controlled data into response headers e.g., setting a Location redire...

5.3CVSS6AI score0.00327EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2026/04/01 12:0 a.m.15 views

Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1525)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1525 advisory. Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 request...

9.8CVSS7.2AI score0.0115EPSS
Exploits0References12
SUSE Linux
SUSE Linux
added 2026/03/31 10:2 p.m.2 views

Security update for python-tornado

This update for python-tornado fixes the following issues: CVE-2025-67724: missing validation of the supplied reason phrase bsc1254903. CVE-2025-67725: Denial of Service DoS via maliciously crafted HTTP request caused by the HTTPHeaders.add method bsc1254905. CVE-2026-31958: parsing large multipa...

8.7CVSS6.4AI score0.00403EPSS
Exploits0References14
Cvelist
Cvelist
added 2026/03/30 7:7 p.m.170 views

CVE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

7.5CVSS0.26356EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 2:56 p.m.6 views

CVE-2019-25478

GetGo Download Manager 6.2.2.3300 contains a buffer overflow vulnerability that allows remote attackers to cause denial of service by sending HTTP responses with excessively long headers. Attackers can craft malicious HTTP responses with oversized header values to crash the application and make i...

8.7CVSS6.1AI score0.00492EPSS
Exploits0References1
Rows per page
Query Builder