CVE-2026-44516 Valtimo: Sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer

Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers...

Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization

Summary Portainer proxies requests to Kubernetes clusters through a middleware layer kubeClientMiddleware that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missi...

NPM: n8n: HTTP Request Node Pagination Prototype Pollution to RCE

NPM: n8n: HTTP Request Node Pagination Prototype Pollution to RCE vulnerability discovered by ? in WordPress Npm n8n versions 1.123.43...

n8n: HTTP Request Node Pagination Prototype Pollution to RCE

Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. Patches The issue has been fixed in n8n...

GHSA-C8XV-5998-G76H n8n: HTTP Request Node Pagination Prototype Pollution to RCE

Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. Patches The issue has been fixed in n8n...

CVE-2025-62316

Technical details are not publicly available in the provided documents. Monitor for updates on CVE-2025-62316 from the linked sources; no affected products, vectors, or remediation are stated.

CVE-2025-62316 HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured

HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under specific conditions...

EUVD-2025-209854

HCL AION is affected by a vulnerability where backend service details may be transmitted over insecure HTTP channels. This may expose sensitive information to potential interception or unauthorized access during transmission under certain conditions...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to axios

Summary IBM App Connect Enterprise runtime and IBM App Connect Enterprise Connector Discovery and OpenAPI Editor are vulnerable to multiple vulnerabilities due to axios. Vulnerability Details CVEID:CVE-2026-42033 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior...

CVE-2026-44308 Spring Cloud AWS: Missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications

Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support @NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping did n...

curl: HTTP/3 paused transfer buffers incoming data without bound up to ~1 GiB

Hi all, When a libcurl application's CURLOPTWRITEFUNCTION returns CURLWRITEFUNCPAUSE, libcurl routes subsequent incoming body data through cw-pause lib/cw-pause.c. The bufq inside cw-pause is initialised with BUFQOPTSOFTLIMIT and a chunk size of 16 KiB lib/cw-pause.c:51-52, which causes bufq to...

Moderate: Red Hat Security Advisory: libsoup3 security update

An update for libsoup3 is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available fo...

Security Bulletin: Erlang OTP inets httpd HTTP Request Smuggling via Duplicate Content-Length Handling

Summary Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Erlang OTP inets httpd module allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/httpserver/httpdrequest.erl and program routines httpdrequest:parseheaders/...

SUSE CVE-2026-42926

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxyhttpversion to 2, and also uses proxysetbody, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support EoTS are not...

Critical: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: nginx: nginx-1.30.1-1.hum1 aarch64, x8664 nginx-all-modules-1.30.1-1.hum1 noarch nginx-core-1.30.1-1.hum1 aarch64, x8664 nginx-filesystem-1.30.1-1.hum1 noarch nginx-mod-devel-1.30.1-1.hum1 aarch6...

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: git-lfs (UTSA-2026-021307)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021307 advisory. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is us...

PT-2026-41165

Name of the Vulnerable Software and Affected Versions CodeWhale versions prior to 0.8.22 Description The fetch url tool implements a check using the is restricted ip function to validate the resolved IP address of an initial URL against a blocklist of restricted IPs, such as localhost, private...

Linux Distros Unpatched Vulnerability : CVE-2026-42945

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttprewritemodule module. This vulnerability exists when the rewrite directive is followed by a...

www/nginx -- Remote Code Execution/DoS

nginx development team reports: When using the "proxysetbody" directive, an attacker might inject data in the proxied request to an HTTP/2 backend A heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngxhttprewritemodule, potentially resultin...

Linux Distros Unpatched Vulnerability : CVE-2026-42578

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT...