Moderate: osbuild-composer security update

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients. Security Fixes: net/http:...

CVE-2025-52479 HTTP.jl vulnerable to CR/LF Injection in URIs

HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers URIs. URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input was not otherwise...

Security Bulletin: IBM Maximo Application Suite - IoT Component uses jetty-http-10.0.22.jar and jinja2-3.1.5-py3-none-any.whl which is vulnerable to CVE-2025-27516 and CVE-2024-6763

Summary IBM Maximo Application Suite - IoT Component uses jetty-http-10.0.22.jar and jinja2-3.1.5-py3-none-any.whl which is vulnerable to CVE-2025-27516 and CVE-2024-6763. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-6763...

CVE-2025-34037 Linksys Routers E/WAG/WAP/WES/WET/WRT-Series

An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcpip parameter without sanitization, allowing...

Security Bulletin: Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-6763]

Summary The jetty-http package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2024-6763 Vulnerability Details CVEID:CVE-2024-6763 DESCRIPTION: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet...

net/http: Request smuggling due to acceptance of invalid chunked data in net/http

A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed LF instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to se...

Moderate: Red Hat Security Advisory: go-toolset:rhel8 security update

An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detail...

ALSA-2025:9145 Moderate: skopeo security update

The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files. Security Fixes: net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 For more details about the...

skopeo security update

2:1.18.1-2 - rebuild to fix CVE-2025-22871 skopeo: Request smuggling due to acceptance of invalid chunked data in net/http - Resolves: RHEL-89329...

net/http: Request smuggling due to acceptance of invalid chunked data in net/http

A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed LF instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to se...

PT-2025-24401 · Red Hat · Red Hat Connectivity Link

Name of the Vulnerable Software and Affected Versions: Red Hat Connectivity Link affected versions not specified Description: The issue concerns the AuthPolicy metadata in Red Hat Connectivity Link, which contains an object storing secrets. However, it assumes these secrets are already in the...

Moderate: grafana security update

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fixes: net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 For more details about the security issues, including the impact, a CVSS...

Moderate: go-toolset:rhel8 security update

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fixes: net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 For more details about the security issues, including the impact, a CVSS score...

Moderate: golang security update

The golang packages provide the Go programming language compiler. Security Fixes: net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related...

ALSA-2025:8476 Moderate: golang security update

The golang packages provide the Go programming language compiler. Security Fixes: net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related...

Important: oci-add-hooks

Issue Overview: The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permi...

CVE-2025-48865 Fabio allows HTTP clients to manipulate custom headers it adds

Fabio is an HTTPS and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers except X-Forwarded-For due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and...

CVE-2025-48928

The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025...

CVE-2025-21528

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering component: Web Access. Supported versions that are affected are 20.12.1.0-20.12.21.5, 21.12.1.0-21.12.20.0, 22.12.1.0-22.12.16.0 and 23.12.1.0-23.12.10.0. Easily exploitable...

CVE-2025-21512

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards component: Web Runtime SEC. Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards...