RLSA-2025:9151 Moderate: gvisor-tap-vsock security update

A replacement for libslirp and VPNKit, written in pure Go. It is based on the network stack of gVisor. Compared to libslirp, gvisor-tap-vsock brings a configurable DNS server and dynamic port forwarding. Security Fixes: net/http: Request smuggling due to acceptance of invalid chunked data in...

podman security update

An update is available for podman. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The podman tool manages pods, container images, and containers. It is part of...

buildah security update

An update is available for buildah. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The buildah package provides a tool for facilitating building OCI container...

delve security update

An update is available for delve. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Delve is a debugger for the Go programming language. The goal of the project i...

CVE-2020-36155

creationtimestamp| type| source ---|---|--- 2025-09-15 16:48:48+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2020/CVE-2020-36155.yaml 2025-09-17 21:02:35+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3lz2qaykzyw2n...

Security Bulletin: IBM watsonx Code Assistant On Prem product affected by h11 HTTP Chunk Handling Vulnerability

Summary A vulnerability CVE-2025-43859 has been identified in the h11 Python library, which impacts the IBM watsonx Code Assistant On-Premises product. This bulletin outlines the necessary steps to address and remediate the vulnerability. Vulnerability Details CVEID:CVE-2025-43859 DESCRIPTION: h1...

php: libxml streams use wrong content-type header when requesting a redirected resource

A flaw was found in PHP's DOM and SimpleXML extensions. This vulnerability allows incorrect parsing of a redirected HTTP resource via improper content-type header handling...

Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to loss of confidentiality [CVE-2025-22871]

Summary Golang package net/http is used by IBM App Connect Enterprise Certified Container operator and operands for http communication. IBM App Connect Enterprise Certified Container operator and operands are vulnerable to loss of confidentiality. This bulletin provides patch information to addre...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a request smuggling vulnerability in net/http [CVE-2025-22871]

Summary IBM Watson Speech Services Cartridge is vulnerable to a request smuggling vulnerability in net/http, caused by a condition where the package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines CVE-2025-22871. Net/http is used as part of our speech utilities...

1-exceptions-handler (=1.0.13), 10-20-day-exam (=1.0.0) +2603 more potentially affected by unknown CVE via http (>=0.0.0 <=0.0.1-security)

http NPM version =0.0.0, =1.0.1, =2.0.0, =0.0.1, =0.0.3 and more Source cves: unknown CVE Source advisory: OSV:MAL-2025-22760...

Linux Distros Unpatched Vulnerability : CVE-2025-4969

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was found in the libsoup package. This flaw stems from its failure to correctly verify the termination of multipart HTTP messages. This can allo...

net/http: Request smuggling due to acceptance of invalid chunked data in net/http

A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed LF instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to se...

RLSA-2025:3772 Moderate: go-toolset:rhel8 security update

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fixes: golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints CVE-2024-45341 golang: net/http: net/http: sensitive headers incorrectly sent after...

go-toolset:rhel8 security update

An update is available for module.go-toolset, golang, module.delve, go-toolset, module.golang, delve. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Go Toolset...

CVE-2025-5253

CVE-2025-5253 affects Kron Technologies’ Kron PAM prior to version 3.7. The issue is described as an HTTP DoS caused by unrestricted resource allocation (or throttling), enabling resource exhaustion under HTTP requests. Affected component is Kron PAM’s HTTP handling; product/version details indic...

Security Bulletin: Vulnerabilities in Quarkus-HTTP affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in Quarkus-HTTP has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-12397 DESCRIPTION: A...

CVE-2025-50067

Vulnerability in Oracle Application Express component: Strategic Planner Starter App. Supported versions that are affected are 24.2.4 and 24.2.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Application Express. Successful attac...

CVE-2025-30748

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft component: PIA Core Technology. Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft...

AlmaLinux 9 : grafana-pcp (ALSA-2025:8916)

The remote AlmaLinux 9 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2025:8916 advisory. net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 Tenable has extracted the preceding description block directly fro...

CVE-2025-53007 arduino-esp32 vulnerable to CRLF injection in WebServer.cpp

arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain a HTTP Response Splitting vulnerability. The sendHeader function takes arbitrary input for the HTTP header name and value, concatenates them into an HTTP header line, and appends this to the outgoi...