SUSE SLES15 Security Update : apache2 (SUSE-SU-2026:2103-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2103-1 advisory. This update for apache2 fixes the following issues - CVE-2026-23918: http2: double free and possible RCE on early reset bsc1263957....

SUSE-SU-2026:2103-1 Security update for apache2

This update for apache2 fixes the following issues - CVE-2026-23918: http2: double free and possible RCE on early reset bsc1263957. - CVE-2026-24072: modrewrite elevation of privileges via apexpr bsc1263935. - CVE-2026-28780: heap buffer overflow in modproxyajp via ajpmsgcheckheader bsc1264163. -...

CVE-2026-47069 CRLF injection in cookie domain/path options in hackney

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Response Splitting. The hackneycookie:setcookie/3 function in src/hackneycookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and...

EUVD-2026-31683

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Response Splitting. The hackneycookie:setcookie/3 function in src/hackneycookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and...

EEF-CVE-2026-47069 CRLF injection in cookie domain/path options in hackney

Summary Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Response Splitting. The hackneycookie:setcookie/3 function in src/hackneycookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the doma...

OESA-2026-2402 httpd security update

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fixes: A NULL pointer dereference in the modauthnsocache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users ar...

OESA-2026-2400 httpd security update

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fixes: A NULL pointer dereference in the modauthnsocache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users ar...

Astra Linux - уязвимость в python3.11

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially leading to Out-of-Memory errors or other types of...

Astra Linux - уязвимость в apache2

Splitting of HTTP responses within the core of the Apache HTTP Server allows attackers who can manipulate the Content-Type response headers of applications hosted or proxied by the server to split the HTTP response. This vulnerability was identified as CVE-2023-38709, but the patch included in...

Astra Linux - уязвимость в jruby

Before Ruby 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an HTTP Response Splitting attack was possible. An attacker could inject a crafted key and value into an HTTP response for the WEBrick HTTP server...

CLSA-2026-1779118869 Fix of 8 CVEs

SECURITY UPDATE: fix off-by-one out-of-bounds read in modproxyajp message getter functions - debian/patches/CVE-2026-33857-prereq.patch: prerequisite fix for ajpmsgcheckheader bounds check to keep msg-len within buffer - debian/patches/CVE-2026-33857.patch: fix off-by-one out-of-bounds read in...

CVE-2025-62316

Technical details are not publicly available in the provided documents. Monitor for updates on CVE-2025-62316 from the linked sources; no affected products, vectors, or remediation are stated.

CVE-2025-62316 HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured

HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under specific conditions...

DEBIAN-CVE-2026-42584

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103,...

MGASA-2026-0129 Updated apache packages fix security vulnerabilities

http2: double free and possible RCE on early reset. CVE-2026-23918 modrewrite elevation of privileges via apexpr. CVE-2026-24072 buffer overflow in modproxyajp via ajpmsgcheckheader. CVE-2026-28780 modmd unrestricted OCSP response. CVE-2026-29168 moddavlock indirect lock crash. CVE-2026-29169...

Decompression Bomb

Overview urllib3 is a HTTP library with thread-safe connection pooling, file post, and more. Affected versions of this package are vulnerable to Decompression Bomb either in HTTPResponse.read when Brotli is in use, or when HTTPResponse.drainconn is called after partial decompression has begun. An...

CVE-2026-41645

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response...

Microdot has HTTP response splitting in Response.set_cookie()

Impact The Response.setcookie method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection attack through this issue to be possible, an attacker must...

HTTP Response Splitting

Overview microdot is a The impossibly small web framework for MicroPython Affected versions of this package are vulnerable to HTTP Response Splitting in the setcookie function. An attacker can inject arbitrary HTTP headers by supplying malicious input containing carriage return and line feed...

ALPINE-CVE-2026-33523

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue...