PT-2025-50884

Name of the Vulnerable Software and Affected Versions Tornado versions 6.5.2 and below Description Tornado, a Python web framework and asynchronous networking library, is susceptible to a Denial of Service DoS condition. A single, specially crafted HTTP request can halt the server’s event loop fo...

Linux Distros Unpatched Vulnerability : CVE-2025-67724

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers...

Tornado 资源管理错误漏洞

Tornado is a Python web framework and asynchronous networking library from the Chinese Tornado Technology Tornado community. The library scales to thousands of open connections through the use of non-blocking network I/O, making it well suited for long time polling, WebSocket and other applicatio...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to lack of limits for decoded HTTP3 headers. An attacker can cause excessive memory allocation by sending a specially crafted QPACK-encoded HEADERS frame that expands into a large...

CVE-2025-14523

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the...

PT-2025-50733

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header...

libsoup 环境问题漏洞

libsoup is a GNOME HTTP client/server library from the GNOME Project. An environment issue vulnerability exists in libsoup that stems from improper handling of HTTP headers, which could lead to request entrapment attacks, cache poisoning, or bypassing host-based access control...

Fedora 42 : perl-CGI-Simple (2025-47551b2aa2)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-47551b2aa2 advisory. 1.282 - Sanitize all user-supplied values before inserting into HTTP headers; Fixed CVE-2025-40927. Tenable has extracted the preceding description block...

Improper Output Neutralization for Logs

Overview Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the unconditional acceptance of attacker-supplied HTTP headers in the getclientip function. An attacker can manipulate server-visible metadata, logs, and authorization decisions by supplying...

Multiple vulnerabilities in Security Point (Windows) of MaLion

Overview Security Point Windows of MaLion provided by Intercom, Inc. contains multiple vulnerabilities listed below. Incorrect default permissions CWE-276 - CVE-2025-59485 Stack-based buffer overflow in processing HTTP headers CWE-121 - CVE-2025-62691 Heap-based buffer overflow in processing...

Intercom MaLion Security Point 安全漏洞

Intercom MaLion Security Point is an asset management and information leakage prevention software from Intercom Japan. A security vulnerability exists in Intercom MaLion Security Point that stems from a stack buffer overflow when processing HTTP headers, which could lead to the execution of...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ExceededSizeError exception. An attacker can cause excessive memory consumption and potentially disrupt service availability by sending arbitrarily large JWT tokens in HTTP...

pentest-scripts

Pentest Scripts - Unified Security Testing Framework 🎯 Qui...

AZL-69140 CVE-2025-58186 affecting package msft-golang 1.24.13-1

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Ruby vulnerabilities (USN-7840-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7840-1 advisory. It was discovered that the REXML module bunded into Ruby incorrectly handled parsing XML documents with repeated instances of...

CVE-2025-12365

Error Messages Wrapped In HTTP Header.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...

EUVD-2025-35905

The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers such as X-Forwarded-For, HTTPCLIENTIP, and similar headers to determine user IP...

PT-2025-43704

Name of the Vulnerable Software and Affected Versions Password Protected plugin for WordPress versions prior to 2.7.12 Description The Password Protected plugin for WordPress is susceptible to authorization bypass through IP address spoofing. This occurs because the plugin relies on...

UBUNTU-CVE-2025-62396

An error-handling issue in the Moodle router r.php could cause the application to display internal directory listings when specific HTTP headers were not properly configured...

CVE-2025-62396 Moodle: router (r.php) could expose application directories

An error-handling issue in the Moodle router r.php could cause the application to display internal directory listings when specific HTTP headers were not properly configured...