CVE-2026-20069

A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance ASA Software and Cisco Secure Firewall Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This...

CVE-2026-20069 Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Client-Side Request Smuggling Vulnerability

A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance ASA Software and Cisco Secure Firewall Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This...

RUSTSEC-2026-0033 HTTP Request Smuggling via Premature Upgrade

Pingora versions prior to 0.8.0 would immediately forward bytes following a request with an Upgrade header to the backend, without waiting for a 101 Switching Protocols response. This allows an attacker to smuggle requests to the backend and bypass proxy-level security controls. This vulnerabilit...

Security update for libsoup

This update for libsoup fixes the following issues: CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests bsc1257398. CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects bsc1257441...

CVE-2024-55026

An issue in the resetpj.cgi endpoint of Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 allows unauthorized attackers to execute arbitrary commands via supplying a crafted GET request...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses netty-codec-http-4.2.5.Final.jar which is vulnerable to CVE-2025-67735.

Summary IBM Maximo Application Suite - Monitor Component uses netty-codec-http-4.2.5.Final.jar which is vulnerable to CVE-2025-67735. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-67735 DESCRIPTION: Netty is an asynchronous, event-driven...

CVE-2025-11847

A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50ABPM.9.6C0 and the Zyxel WX3100-T0 firmware versions through 5.50ABVL.4.8C0 could allow an authenticated attacker with administrator privileges to trigger a...

CVE-2025-11847

A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50ABPM.9.6C0 and the Zyxel WX3100-T0 firmware versions through 5.50ABVL.4.8C0 could allow an authenticated attacker with administrator privileges to trigger a...

CVE-2025-11848

A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version through 5.50ABPM.9.6C0 and the Zyxel WX3100-T0 firmware versions through 5.50ABVL.4.8C0 could allow an authenticated attacker with administrator privileges to trigger a...

CVE-2025-11846

Affects Zyxel VMG3625-T50B (firmware up to 5.50(ABPM.9.6)C0) and Zyxel WX3100-T0 (firmware up to 5.50(ABVL.4.8)C0). Root cause: null pointer dereference in the account settings CGI program. Impact: authenticated administrator can trigger a denial-of-service by sending a crafted HTTP request. No r...

CVE-2025-11845

Summary: CVE-2025-11845 is a null pointer dereference in the certificate downloader CGI program affecting Zyxel VMG3625-T50B (up to 5.50(ABPM.9.6)C0) and Zyxel WX3100-T0 (up to 5.50(ABVL.4.8)C0). An authenticated administrator can trigger a denial-of-service by sending a crafted HTTP request. The...

CVE-2026-26365

Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing pat...

exploit-notes

🎯 Pentest Playbook Index Welcome to the comprehensive penetra...

CVE-2025-12811

Improper Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' in Delinea Inc. Cloud Suite and Privileged Access Service. If you're not using the latest Server Suite agents, this fix requires that you upgrade to Server Suite 2023.1 agent 6.0.1 or later. If you cannot upgrade to...

CVE-2025-15563 Broken Access Control results in Denial of Service in NesterSoft WorkTime

Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here...

Linux Distros Unpatched Vulnerability : CVE-2026-2708

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soupmessageheadersappendcommon function in libsoup/soup-message-headers.c...

CVE-2025-12811 Cloud Suite and Privilege Access Service– HTTP request smuggling vulnerability

Improper Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' in Delinea Inc. Cloud Suite and Privileged Access Service. If you're not using the latest Server Suite agents, this fix requires that you upgrade to Server Suite 2023.1 agent 6.0.1 or later. If you cannot upgrade to...

CVE-2025-12811

CVE-2025-12811 affects Delinea Cloud Suite and Privileged Access Service with an HTTP Request Smuggling flaw (Improper Inconsistent Interpretation of HTTP Requests). The CVSS v4.0 base score is 6.9 (Medium) with network attack vector, low attack complexity, no privileges, and no user interaction ...

CVE-2025-12811 Cloud Suite and Privilege Access Service– HTTP request smuggling vulnerability

Improper Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' in Delinea Inc. Cloud Suite and Privileged Access Service. If you're not using the latest Server Suite agents, this fix requires that you upgrade to Server Suite 2023.1 agent 6.0.1 or later. If you cannot upgrade to...