CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Github Security Blog•added 2026/05/07 12:22 a.m.•11 views

Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding

Summary Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. Details Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: chunked, identity" is present. According to RFC...

7.5CVSS6AI score0.00012EPSS

Exploits1References4Affected Software1

OSV•added 2026/05/07 12:22 a.m.•1 views

GHSA-38F8-5428-X5CV Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding

6.5CVSS6AI score0.00012EPSS

Exploits1References4

Github Security Blog•added 2026/05/07 12:21 a.m.•7 views

Netty has HttpClientCodec response desynchronization

Summary If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another's. Details HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD a...

Exploits1References3Affected Software1

vulnersOsv•added 2026/05/07 12:21 a.m.•4 views

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.3), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.3) +23532 more potentially affected by CVE-2026-42584 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

io.netty:netty-codec-http MAVEN version =4.0.0.Alpha1, =0.1.0-alpha.2, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.2, =0.1.0, =0.1.0, =0.2.0, =0.2.0, =0.28.0 and more Source cves: CVE-2026-42584 Sourc...

vulnersOsv•added 2026/05/07 12:21 a.m.•2 views

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2758 more potentially affected by CVE-2026-42584 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.12.Final)

vulnersOsv•added 2026/05/07 12:21 a.m.•4 views

Github Security Blog•added 2026/05/07 12:19 a.m.•7 views

Netty HTTP/3 QPACK literal unbounded allocation

Summary When Netty decodes HTTP/3 headers, it sometimes runs new bytelength using a length from the wire before checking that many bytes are really there. A small malicious header can claim a huge length on the order of a gigabyte. Details When decoding header blocks, the non-Huffman branch of...

7.5CVSS5.9AI score0.00017EPSS

Exploits1References3Affected Software1

OSV•added 2026/05/07 12:19 a.m.•1 views

GHSA-2C5C-CHWR-9HQW Netty HTTP/3 QPACK literal unbounded allocation

7.5CVSS5.9AI score0.00017EPSS

Exploits1References3

vulnersOsv•added 2026/05/07 12:18 a.m.•3 views

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.3), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.3) +23532 more potentially affected by CVE-2026-42581 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

Snyk•added 2026/05/07 12:18 a.m.•12 views

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling in the HttpObjectDecoder component. An attacker can manipulate...

vulnersOsv•added 2026/05/07 12:18 a.m.•3 views

Exploits1References2

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.3), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.3) +23532 more potentially affected by CVE-2026-42581 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

vulnersOsv•added 2026/05/07 12:18 a.m.•6 views

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2758 more potentially affected by CVE-2026-42581 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.12.Final)

vulnersOsv•added 2026/05/07 12:13 a.m.•3 views

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2758 more potentially affected by CVE-2026-42580 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.12.Final)

OSV•added 2026/05/07 12:13 a.m.•1 views

GHSA-M4CV-J2PX-7723 Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing

Summary Netty's chunk size parser silently overflows int, enabling request smuggling attacks. Details io.netty.handler.codec.http.HttpObjectDecodergetChunkSize silently overflows int. The size is accumulated as follows: result = 16; result += digit; The result is checked only for negative values...

6.5CVSS5.9AI score0.00016EPSS

Exploits1References3

vulnersOsv•added 2026/05/07 12:13 a.m.•5 views

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.3), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.3) +23532 more potentially affected by CVE-2026-42580 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

vulnersOsv•added 2026/05/07 12:13 a.m.•3 views

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.3), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.3) +23532 more potentially affected by CVE-2026-42580 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

vulnersOsv•added 2026/05/07 12:13 a.m.•5 views