com.akamai.edgegrid:edgegrid-signer-async-http-client (>=6.0.1 <=6.0.3-rc.1), com.arpnetworking.metrics:mad-experimental (>=1.2.4 <=1.2.11) +48 more potentially affected by CVE-2026-40490 via org.asynchttpclient:async-http-client (>=3.0.0.Beta1 <=3.0.7)

org.asynchttpclient:async-http-client MAVEN version =3.0.0.Beta1, =6.0.1, =1.2.4, =1.22.5, =1.13.8, =1.1.0, =0.4.8, =0.4.8, =0.4.8, =1.17.0, =1.17.0, =1.17.0, =0.5.0, =218.0.0, =14.5.0, =16.0.0 and more Source cves: CVE-2026-40490 Source advisory: OSV:GHSA-CMXV-58FP-FM3G...

AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects

Impact When redirect following is enabled followRedirecttrue, AsyncHttpClient forwards Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and...

Origin Validation Error

Overview org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client AHC classes. Affected versions of this package are vulnerable to Origin Validation Error in the Redirect30xInterceptor class. An attacker in control of a cross-origin redirect target via a different exploit...

ai.evolv:ascend-sdk (=0.5.0), app.peac:core (=0.0.1) +2566 more potentially affected by CVE-2026-40490 via org.asynchttpclient:async-http-client (>=2.0.0-RC1 <=2.12.4)

org.asynchttpclient:async-http-client MAVEN version =2.0.0-RC1, =0.7.0, =0.7.0, =0.1.0, =0.2.0, =0.7.0, =0.7.0, =0.1.0, =0.2.0, =0.1.0, =0.2.0, =2.2, =2.0, =2.0-RC2 and more Source cves: CVE-2026-40490 Source advisory: SNYK:JAVA-ORGASYNCHTTPCLIENT-16032254...

ai.evolv:ascend-sdk (=0.5.0), app.peac:core (=0.0.1) +2550 more potentially affected by CVE-2026-40490 via org.asynchttpclient:async-http-client (>=2.0.0 <=2.12.4)

org.asynchttpclient:async-http-client MAVEN version =2.0.0, =0.7.0, =0.7.0, =0.1.0, =0.2.0, =0.7.0, =0.7.0, =0.1.0, =0.2.0, =0.1.0, =0.2.0, =2.2, =2.0, =2.0-RC2 and more Source cves: CVE-2026-40490 Source advisory: OSV:GHSA-CMXV-58FP-FM3G...

nodejs:20 security update

An update is available for nodejs, module.nodejs-packaging, nodejs-packaging, module.nodejs, nodejs-nodemon, module.nodejs-nodemon. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

GHSA-J98M-W3XP-9F56 excel-mcp-server has a Path Traversal issue

Summary A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode the documented way to use this server remotely, an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on...

Linux Distros Unpatched Vulnerability : CVE-2026-2332

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the funky chunks techniques outlined here:...

Eclipse Jetty 环境问题漏洞

Eclipse Jetty is an open-source Java-based web server and Java Servlet container developed by the Eclipse Foundation. Eclipse Jetty has a vulnerability related to environmental issues, which stems from the HTTP/1.1 parser’s request interception vulnerability when using chunked extensions...

Apache Apisix 安全漏洞

Apache Apisix is a cloud-native microservices API gateway service provided by the Apache Foundation in the United States. This software is implemented based on OpenResty and etcd, featuring dynamic routing and hot loading of plugins. It is suitable for API management within microservice systems...

CVE-2025-65133

CVE-2025-65133 : A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can send a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database informati...

PT-2026-32678

Name of the Vulnerable Software and Affected Versions FortiSandbox versions 5.0.0 through 5.0.5 FortiSandbox versions 4.4.0 through 4.4.8 FortiSandbox version 4.2 FortiSandbox Cloud version 5.0.4 FortiSandbox PaaS version 5.0.4 Description An improper limitation of a pathname to a restricted...

Amazon Linux 2 : docker, --advisory ALAS2NITRO-ENCLAVES-2026-094 (ALASNITRO-ENCLAVES-2026-094)

"The version of docker installed on the remote host is prior to 25.0.14-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2026-094 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs...

Amazon Linux 2 : docker, --advisory ALAS2ECS-2026-106 (ALASECS-2026-106)

"The version of docker installed on the remote host is prior to 25.0.14-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2026-106 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix...

Fortinet FortiSandbox 跨站脚本漏洞

Fortinet FortiSandbox is an APT Advanced Persistent Threat protection device developed by the American company Fortinet. This device offers features such as dual sandbox technology, dynamic threat intelligence systems, a real-time control panel, and reporting capabilities. Versions of Fortinet...

Amazon Linux 2 : libvncserver, --advisory ALAS2-2026-3247 (ALAS-2026-3247)

The version of libvncserver installed on the remote host is prior to 0.9.9-14. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3247 advisory. LibVNCServer versions 0.9.15 and prior fixed in commit 009008e contain a heap out-of-bounds read vulnerability in th...

CVE-2026-35577

Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run ...

Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header

A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named proto. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an...

Important: Red Hat Security Advisory: nodejs:20 security update

An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

EUVD-2026-21997

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be...