GHSA-P88M-4JFJ-68FV undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

Impact undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...

CVE-2026-9679

A flaw was found in undici. The cookie parser in the parseSetCookie function incorrectly decodes cookie values, which is contrary to standard specifications. This vulnerability allows an attacker-controlled upstream to inject arbitrary HTTP response headers, such as Set-Cookie, Location, or...

CVE-2026-9679 undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...

Bosch Security Systems IP Cameras Improper Input Validation (CVE-2021-23853)

In Bosch IP cameras, improper validation of the HTTP header allows an attacker to inject arbitrary HTTP headers through crafted URLs. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C Tenable, Inc...

EUVD-2026-36252

IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

PT-2026-48672

Name of the Vulnerable Software and Affected Versions IBM DevOps Plan versions 3.0.0 through 3.0.6 Description An issue exists due to improper validation of input within the Host header of HTTP requests. This allows for HTTP header injection, which can be leveraged to perform cross-site scripting...

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 26.04 LTS : Netty vulnerabilities (USN-8401-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8401-1 advisory. It was discovered that Netty's HTTP proxy handler did not properly validate heade...

Important: Red Hat Security Advisory: Red Hat build of Quarkus 3.27.4 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more informatio...

EulerOS 2.0 SP13 : busybox (EulerOS-SA-2026-2324)

According to the versions of the busybox packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : BusyBox wget thru 1.3.7 accepted raw CR 0x0D/LF 0x0A and other C0 control bytes in the HTTP request- target path/query, allowing the request line...

Security update for netty, netty-tcnative

This update for netty, netty-tcnative fixes the following issues CVE-2026-41417: missing validations leads to HTTP request smuggling and RTSP request injection via start-line injection in DefaultHttpRequest.setUri bsc1264350. CVE-2026-42578: HTTP Header Injection via HttpProxyHandler Disabled...

Security Bulletin: IBM Cloud Pak for Data System 1.0 is affected by multiple vulnerabilities

Summary IBM Cloud Pak for Data System 1.0 CPDS 1.0 includes multiple third-party components that are affected by various security vulnerabilities. These vulnerabilities include denial of service issues in the Linux kernel and Python components, command injection vulnerabilities in Python's imapli...

BIT-ACTIVEMQ-2026-42253 Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

PT-2026-45839

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add content type param/2. Tesla.Multipart.add content type param/2 appends caller-supplied strings to the multipart...

CVE-2026-42253

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

python3.14 security update

An update is available for python3.14. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Python is an interpreted, interactive, object-oriented programming...

Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Patch Bypass Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2 Summary The Object.createnull fix introduced in Axios 1.15.2 GHSA-q8qp-cvcw-x6jj protects the top-level config object from prototype pollution. However, nested objects created...

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana within Instana Agent container image build 1.0.319 Vulnerability Details CVEID:CVE-2026-33871 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and...

CVE-2026-47075

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return \r or line feed \n characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar define...

python: Python: HTTP header injection via CR/LF in proxy tunnel headers

A flaw was found in Python. This vulnerability allows for the injection of extra information into HTTP communication. Specifically, the system does not properly prevent special characters carriage return and line feed from being included in HTTP client proxy tunnel headers or host fields...

Important: Red Hat Security Advisory: python3.14 security update

An update for python3.14 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fro...