CVE-2026-6993

A flaw was found in go-kratos kratos. A remote attacker could exploit a vulnerability in the HTTP server's NewServer function, specifically within the http.DefaultServeMux Fallback Handler. This manipulation creates an unintended intermediary, which can lead to the disclosure of sensitive...

BIT-ACTIVEMQ-2026-40466 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport...

CVE-2026-23486

creationtimestamp| type| source ---|---|--- 2026-04-28 00:08:54+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-23486.yaml 2026-04-28 21:03:04+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3mklibctkvh2z...

PT-2026-36215

Уязвимость функции fromNatlimitof демона httpd микропрограммного обеспечения маршрутизаторов Tenda F456 связана с выходом операции за границы буфера в памяти. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании или выполнить произвольный код пут...

Apache Pony Mail 环境问题漏洞

Apache Pony Mail is a plugin from the Apache Foundation in the United States that includes features for email archiving, viewing, and interaction. Apache Pony Mail has an environmental issue vulnerability, which stems from inconsistent interpretation of HTTP requests, potentially allowing...

CVE-2026-7146 AlejandroArciniegas mcp-data-vis HTTP Request server.js axios server-side request forgery

A security vulnerability has been detected in AlejandroArciniegas mcp-data-vis up to de5a51525a69822290eaee569a1ab447b490746d. Affected by this vulnerability is the function axios of the file src/servers/web-scraper/server.js of the component HTTP Request Handler. Such manipulation leads to...

python: Python: HTTP header injection via CR/LF in proxy tunnel headers

A flaw was found in Python. This vulnerability allows for the injection of extra information into HTTP communication. Specifically, the system does not properly prevent special characters carriage return and line feed from being included in HTTP client proxy tunnel headers or host fields...

cpython: Incomplete control character validation in http.cookies

A control character validation flaw has been discovered in the Python http.cookie module. The Morsel.update, |= operator, and unpickling paths were not patched to resolve CVE-2026-0672, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output...

CVE-2026-32688 Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy

Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plugcowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.toatom/1 on the value returned by :cowboyreq.scheme/1. For HTTP/2...

CVE-2026-32688

Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plugcowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.toatom/1 on the value returned by :cowboyreq.scheme/1. For HTTP/2...

EEF-CVE-2026-32688 Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy

Summary Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plugcowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.toatom/1 on the value returned by :cowboyreq.scheme/1. Fo...

CVE-2026-23483

creationtimestamp| type| source ---|---|--- 2026-04-27 12:07:05+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-23483.yaml...

USN-8208-1 haproxy vulnerability

Martino Spagnuolo discovered that HAProxy did not check received body lengths in the HTTP/3 parser. A remote attacker could possibly use this issue to perform a request smuggling attack and obtain sensitive information...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the default authentication path to / when not explicitly configured in BasicAuthenticationConfigurer and JWTAuthenticationConfigurer. An attacker can access protected business...

CVE-2026-40022 Apache Camel Platform HTTP Main: Authentication Bypass on Non-Root Context Paths in camel main runtime

When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server camel-platform-http-main and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and...

CVE-2026-40022 Apache Camel Platform HTTP Main: Authentication Bypass on Non-Root Context Paths in camel main runtime

When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server camel-platform-http-main and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and...

CVE-2026-7098

A security vulnerability has been detected in Tenda F456 1.0.0.5. Impacted is the function fromDhcpListClient of the file /goform/DhcpListClient of the component httpd. Such manipulation of the argument page leads to buffer overflow. The attack can be launched remotely. The exploit has been...

EUVD-2026-25791

The fix for CVE-2025-27636 added setLowerCasetrue to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCasetrue call was not applied to five non-HTTP HeaderFilterStrategy...

CVE-2026-40453 Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection

The fix for CVE-2025-27636 added setLowerCasetrue to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCasetrue call was not applied to five non-HTTP HeaderFilterStrategy...

ROOT-APP-MAVEN-CVE-2025-22227 CVE-2025-22227 in io.root.io.projectreactor.netty:reactor-netty-http - Patched by Root

Root has patched CVE-2025-22227 in the io.root.io.projectreactor.netty:reactor-netty-http package for Root:Maven. Multiple fixed versions available...