Amazon Linux 2023 : python3.13-tornado (ALAS2023-2026-1528)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1528 advisory. Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers where it could be used for head...

CVE-2024-40489

There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests...

PT-2026-29619

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive...

PT-2026-29547

There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests...

SUSE CVE-2026-4789

Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions...

SUSE CVE-2026-24030

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly...

CVE-2026-32696

NanoMQ MQTT Broker NanoMQ is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.httpauth HTTP authentication, when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P...

DEBIAN-CVE-2026-34441

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread...

Security update for python-tornado

This update for python-tornado fixes the following issues: CVE-2025-67724: missing validation of the supplied reason phrase bsc1254903. CVE-2025-67725: Denial of Service DoS via maliciously crafted HTTP request caused by the HTTPHeaders.add method bsc1254905. CVE-2026-31958: parsing large multipa...

CVE-2026-34441 cpp-httplib: HTTP Request Smuggling via Unconsumed GET Request Body

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread...

CVE-2026-34441

cpp-httplib (C++11 single-file header-only HTTP/HTTPS library) is vulnerable to HTTP Request Smuggling prior to version 0.40.0. The server’s static file handler serves GET responses without consuming the request body, so on HTTP/1.1 keep-alive connections unread body bytes remain on the TCP strea...

CVE-2026-34441

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread...

EUVD-2026-17672

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread...

CVE-2026-34441

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread...

CVE-2026-34733

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition...

CVE-2026-34381

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on admmyfiles/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently igno...

EUVD-2026-17622

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on admmyfiles/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently igno...

CVE-2026-34784

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...

CVE-2026-34784

Parse Server has a vulnerability where file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on streaming storage adapters (e.g., GridFS). This can let an attacker access files that should be protected by authorization logic. The issue is fixed in vers...

CVE-2026-34359 HAPI FHIR: Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect in HAPI FHIR Core

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer uses String.startsWith to match request URLs against configured server URLs for authentication credential dispatch. Because configured...