Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Summary The HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response...

EUVD-2026-24477

frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser...

CVE-2026-40910 frp: Authentication bypass in frp HTTP vhost routing when routeByHTTPUser is used for access control

frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser...

EUVD-2026-24472

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...

WordPress HTTP Headers plugin <= 1.19.2 - Authenticated (Administrator+) CRLF Injection vulnerability

Authenticated Administrator+ CRLF Injection vulnerability discovered by Kai Aizen in WordPress Plugin HTTP Headers versions = 1.19.2...

WordPress HTTP Headers plugin <= 1.19.2 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Daniel Basta whizzu - NASK PIB in WordPress Plugin HTTP Headers versions = 1.19.2...

bagbag (>=0.72.2 <=0.75.43), chameli (>=0.1.9 <=0.1.13) +29 more potentially affected by CVE-2026-40606 via mitmproxy (>=0.17.0 <=12.2.1)

mitmproxy PYPI version =0.17.0, =0.72.2, =0.1.9, =0.1.0, =0.0.0, =4.0.0, =0.34.0, =0.14.1, =4.0.0, =0.11.0, =3.7.6, =2.0.0b0, =1.0.0, =0.9.0, =1.1.0 and more Source cves: CVE-2026-40606 Source advisory: OSV:PYSEC-2026-92...

UBUNTU-CVE-2026-40606

mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP...

CVE-2026-40606

mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP...

CVE-2026-40611 Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider

Let's Encrypt client and ACME library written in Go Lego. Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to...

CVE-2026-40608 Next AI Draw.io: Unbounded HTTP Body — Denial of Service

Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers /api/state, /api/restore, and /api/history-svg that process incoming requests by accumulating the entire request body into a...

Important: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3.0.10

Red Hat OpenShift Service Mesh 3.0.10 This update has a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. Red Hat OpenShift Service Mesh...

CLSA-2026-1776791510 nginx: Fix of 5 CVEs

CVE-2017-7529: fix integer overflow in range filter - CVE-2018-16843: fix excessive memory consumption in HTTP/2 - CVE-2018-16844: fix excessive CPU usage in HTTP/2 - CVE-2019-9511: fix excessive memory growth via HTTP/2 DATA frame manipulation - CVE-2019-9513: fix excessive CPU usage via HTTP/2...

nginx: Fix of 5 CVEs

CVE-2017-7529: fix integer overflow in range filter - CVE-2018-16843: fix excessive memory consumption in HTTP/2 - CVE-2018-16844: fix excessive CPU usage in HTTP/2 - CVE-2019-9511: fix excessive memory growth via HTTP/2 DATA frame manipulation - CVE-2019-9513: fix excessive CPU usage via HTTP/2...

CLSA-2026-1776788664 perl: Fix of CVE-2023-31486

CVE-2023-31486: add verifySSL=1 to HTTP::Tiny default configuration...

CVE-2025-31958

HCL BigFix Service Management is susceptible to HTTP Request Smuggling. HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end...

CVE-2025-31958 HCL BigFix Service Management (SM) is susceptible to HTTP Request Smuggling

HCL BigFix Service Management is susceptible to HTTP Request Smuggling. HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end...

CVE-2025-31958 HCL BigFix Service Management (SM) is susceptible to HTTP Request Smuggling

HCL BigFix Service Management is susceptible to HTTP Request Smuggling. HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end...

SUSE-SU-2026:1509-1 Security update for nodejs22

This update for nodejs22 fixes the following issues: Update to version 22.22.2. - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request bsc1260494. - CVE-2026-21716: incomplete fix for...

PT-2026-34075

Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft component: Employee Snapshot. The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise...