Lucene search
K

4466 matches found

CVE
CVE
added yesterday39 views

CVE-2026-45070

This CVE concerns Symfony's Mime ParameterizedHeader: parameter names are emitted verbatim in serialized headers, allowing CRLF or non-token bytes to be injected via untrusted input. Affected component: Symfony\Component\Mime\Header\ParameterizedHeader (and related Headers). Root cause: names are...

6.3CVSS6.1AI score0.00056EPSS
Exploits0References6
CVE
CVE
added yesterday88 views

CVE-2026-45067

The CVE affects Symfony MIME Address: the constructor previously accepted local-parts like "x\r\nBcc: attacker@evil" which could be emitted into message headers and SMTP commands (MAIL FROM/RCPT), enabling CRLF injection. The issue’s root cause is acceptance of line breaks in quoted local-parts; ...

6.3CVSS6.1AI score0.00062EPSS
Exploits0References6
CVE
CVE
added yesterday8 views

CVE-2025-62826

Summary: CVE-2025-62826 describes an HTTP Response Splitting (CWE-113) in Fortinet FortiOS and FortiProxy products. Affected versions: FortiOS 7.6.0–7.6.4, FortiOS 7.4 all versions, FortiOS 7.2 all versions; FortiProxy 7.6.0–7.6.4, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions. Root ca...

4.3CVSS6.2AI score
Exploits0References1Affected Software2
CVE
CVE
added yesterday5 views

CVE-2025-62675

The CVE-2025-62675 entry concerns an issue described as an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting) in Fortinet FortiOS and FortiProxy products. Affected versions are FortiOS 7.6.0–7.6.4, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiProxy 7.6...

4.3CVSS6.2AI score
Exploits0References1Affected Software2
Nuclei
Nuclei
added yesterday40 views

ExponentCMS <= 2.6 - Host Header Injection

An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponentconstants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack vector for MITM. id: CVE-2021-38751 info: name: ExponentCMS = 2.6 - Host Header Injection author:...

4.3CVSS6.2AI score0.02468EPSS
Exploits1References5
Nuclei
Nuclei
added 2 days ago27 views

Ruby on Rails - Open Redirect via Host Header Injection

Ruby on Rails action pack before 6.1.2.1, 6.0.3.5 contains an open redirect caused by special crafted Host headers in combination with allowed host formats, letting attackers redirect users to malicious websites, exploit requires attacker to control Host headers. id: CVE-2021-22881 info: name: Ru...

6.1CVSS6.6AI score0.87301EPSS
Exploits1References2
NVD
NVD
added 4 days ago8 views

CVE-2026-15155

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget...

8.8CVSS0.00367EPSS
Exploits0References9
EUVD
EUVD
added 4 days ago9 views

EUVD-2026-43160

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget...

8.8CVSS6.1AI score0.00367EPSS
Exploits0References9
CVE
CVE
added 4 days ago25 views

CVE-2026-15155

The CVE-2026-15155 entry concerns the WordPress plugin Essential Addons for Elementor (

8.8CVSS6.1AI score0.00367EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 4 days ago10 views

PT-2026-57416

Name of the Vulnerable Software and Affected Versions The Essential Addons for Elementor versions prior to 6.6.11 Description Insufficient server-side validation of a Login/Register widget setting allows authenticated attackers with Contributor-level access or higher to perform Email Header...

8.8CVSS6.1AI score0.00367EPSS
Exploits0References12
RedhatCVE
RedhatCVE
added 5 days ago7 views

CVE-2026-53878

A flaw was found in Django. django.core.validators.DomainNameValidator accepted newline characters in domain name input. When applications use this validator outside Django form fields and include the validated value in HTTP response headers, a remote attacker could perform HTTP header injection...

6.1CVSS6.1AI score0.00217EPSS
Exploits0References3
EUVD
EUVD
added 5 days ago18 views

EUVD-2026-34012

Tesla vulnerable to multipart part smuggling via unescaped content-disposition values...

2.1CVSS5.9AI score0.00143EPSS
Exploits0References5
EUVD
EUVD
added 5 days ago13 views

EUVD-2026-34016

Tesla has CRLF injection in request Content-Type header via addcontenttypeparam...

2.1CVSS5.9AI score0.0017EPSS
Exploits0References5
NVD
NVD
added 6 days ago7 views

CVE-2026-50188

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request, Remote::get, and Remote::post, to send outgoing HTTP requests with untrusted data in the headers option could allow newline characters...

6.9CVSS0.0029EPSS
Exploits0References5
OSV
OSV
added 6 days ago2 views

CVE-2026-50188 Kirby: Request header injection in `Http\Remote`

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request, Remote::get, and Remote::post, to send outgoing HTTP requests with untrusted data in the headers option could allow newline characters...

6.9CVSS6.2AI score0.0029EPSS
Exploits0References7
Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-50188 Kirby: Request header injection in `Http\Remote`

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request, Remote::get, and Remote::post, to send outgoing HTTP requests with untrusted data in the headers option could allow newline characters...

6.9CVSS0.0029EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-50188

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request, Remote::get, and Remote::post, to send outgoing HTTP requests with untrusted data in the headers option could allow newline characters...

6.9CVSS6AI score0.0029EPSS
Exploits0References6Affected Software1
CVE
CVE
added 6 days ago17 views

CVE-2026-50188

Kirby CMS is affected in versions prior to 4.9.4 and 5.4.4 where the Kirby\Http\Remote class (Remote::request/Remote::get/Remote::post) can be given untrusted header data. The issue stems from newline characters in header values being passed to the underlying HTTP request, allowing injection of a...

6.9CVSS6AI score0.0029EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 6 days ago5 views

netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation

A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected...

7.5CVSS6.9AI score0.00952EPSS
Exploits1References5
Cvelist
Cvelist
added last week33 views

CVE-2026-35210 OpenCTI: Authorization Bypass via `synchronized-upsert` HTTP Header Injection

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGEKNUPDATE permission to bypass Confidence Level validation and Object Marking...

7.1CVSS0.00252EPSS
Exploits0References4
Rows per page
Query Builder