Missing Critical Step in Authentication

Overview org.apache.httpcomponents.client5:httpclient5 is a HttpClient component of the Apache HttpComponents project. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the AuthenticationHandler's handleResponse method. The client may accept...

org.apache.httpcomponents.client5:httpclient5-cache (=5.6-alpha1), org.apache.httpcomponents.client5:httpclient5-fluent (=5.6-alpha1) +2 more potentially affected by CVE-2026-40542 via org.apache.httpcomponents.client5:httpclient5 (=5.6-alpha1)

org.apache.httpcomponents.client5:httpclient5 MAVEN version =5.6-alpha1 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.httpcomponents.client5:httpclient5 and may be impacted: - org.apache.httpcomponents.client5:httpclient5-cache =5.6-alpha1...

SUSE-SU-2026:21353-1 Security update for haproxy

This update for haproxy fixes the following issues: Security issue: - CVE-2026-33555: Request smuggling via HTTP/3 parser desynchronization bsc1262103. - bug in SLZ compression bsc1261626...

SUSE-SU-2026:21280-1 Security update for haproxy

This update for haproxy fixes the following issues: Security issue: - CVE-2026-33555: Request smuggling via HTTP/3 parser desynchronization bsc1262103. - bug in SLZ compression bsc1261626...

SUSE-SU-2026:21390-1 Security update for haproxy

This update for haproxy fixes the following issues: Security issue: - CVE-2026-33555: Request smuggling via HTTP/3 parser desynchronization bsc1262103. - bug in SLZ compression bsc1261626...

Security Bulletin: Due to use of spring-security-web-6.5.8.jar, IBM Sterling Connect:Direct Web Services is affected by missing HTTP header in response issue.

Summary spring-security-web-6.5.8.jar is used by IBM Sterling Connect:Direct Web Services CVE-2026-22732. Vulnerability Details CVEID:CVE-2026-22732 DESCRIPTION: When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP...

MAL-2026-3013 Malicious code in undicy-http (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d4da47dd47cb80cf3a7a93cd81c2154b7cd905834b35f89f0703a5a8dab5d1e The package undicy-http was found to contain malicious code. Source: ghsa-malware daa1abf913048406268c31888f8b6defc0e69b49ba85dcbdb966fea8a3caf235 An...

Malicious code in undicy-http (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d4da47dd47cb80cf3a7a93cd81c2154b7cd905834b35f89f0703a5a8dab5d1e The package undicy-http was found to contain malicious code. Source: ghsa-malware daa1abf913048406268c31888f8b6defc0e69b49ba85dcbdb966fea8a3caf235 An...

SUSE CVE-2026-40611

Let's Encrypt client and ACME library written in Go Lego. Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to...

SUSE CVE-2026-40924

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: libsoup (UTSA-2026-014280)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-014280 advisory. A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length...

PT-2026-34726

Name of the Vulnerable Software and Affected Versions Contour versions 1.19.0 through 1.31.5 Contour versions 1.32.0 through 1.32.4 Contour versions 1.33.0 through 1.33.3 Description The Cookie Rewriting feature is susceptible to Lua code injection. An attacker with RBAC permissions to create or...

libsoup 环境问题漏洞

Libsoup is a GNOME project’s HTTP client/server library. Libsoup has an environmental issue vulnerability, which stems from the HTTP/1 header parsing logic having request embedding. The soupmessageheaders.AppendCommon function appends header values without verification of duplicate or conflicting...

Flowise 安全漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise, up to 3.1.0, contained a security vulnerability. This vulnerability stemmed from the password reset feature sending reset links via an insecure HTTP protocol, which cou...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: nginx (UTSA-2026-014291)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-014291 advisory. When the ngxmailauthhttpmodulemodule is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occu...

Oracle HTTP Server (April 2026 CPU)

The versions of HTTP Server installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2026 CPU advisory. - Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware component: Core. Supported versions that are affected are 12.2.1.4.0 and...

Oracle HTTP Server (April 2026 CPU)

The versions of HTTP Server installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2026 CPU advisory. - Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware component: Core. Supported versions that are affected are 12.2.1.4.0 and...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: tomcat (UTSA-2026-014265)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-014265 advisory. Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow...

Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header

A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named proto. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an...

EUVD-2026-25075

Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript executi...