CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added yesterday•3 views

CVE-2026-38967

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values...

9.8CVSS5.8AI score0.00018EPSS

IBM Security Bulletins•added yesterday•3 views

Security Bulletin: A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests. (CVE-2026-4096)

Summary A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests. Version 3.0.7 addresses the vulnerability. Vulnerability Details CVEID:CVE-2026-4096 DESCRIPTION: IBM DevOps Plan is vulnerable t...

5.7AI score

Exploits0Affected Software1

NVD•added yesterday•3 views

CVE-2026-44546

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

3.7CVSS

EUVD•added yesterday•5 views

EUVD-2026-34092

Cvelist•added yesterday•11 views

CVE-2026-44546 Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing

3.7CVSS

Vulnrichment•added yesterday•3 views

CVE-2026-44546 Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing

ATTACKERKB•added yesterday•2 views

CVE-2026-44546

Exploits0References2Affected Software1

CVE•added yesterday•3 views

CVE-2026-44546

CVE-2026-44546 affects Daphne (before 4.2.2) in the WebSocket upgrade path. The root cause is a parser differential between Twisted’s parsed headers and Autobahn’s WebSocket handshake processing: Twisted does not treat certain control bytes (0x0b, 0x0c, 0x1c, 0x1d, 0x1e, 0x85) as header separator...

Nuclei•added yesterday•19 views

ExponentCMS <= 2.6 - Host Header Injection

An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponentconstants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack vector for MITM. id: CVE-2021-38751 info: name: ExponentCMS = 2.6 - Host Header Injection author:...

4.3CVSS6AI score0.08314EPSS

Exploits1References5

Nuclei•added yesterday•19 views

Ruby on Rails - Open Redirect via Host Header Injection

Ruby on Rails action pack before 6.1.2.1, 6.0.3.5 contains an open redirect caused by special crafted Host headers in combination with allowed host formats, letting attackers redirect users to malicious websites, exploit requires attacker to control Host headers. id: CVE-2021-22881 info: name: Ru...

6.1CVSS6.5AI score0.15453EPSS

Exploits1References2

Positive Technologies•added yesterday•4 views

PT-2026-45941

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat x0b, x0c, x1c, x1d, x1e, or x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

Tenable Nessus•added yesterday•1 views

Exploits0References2

RockyLinux 10 : python3.12 (RLSA-2026:19064)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19064 advisory. expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing CVE-2025-59375...

9.1CVSS6.2AI score0.00205EPSS

Exploits1References25

EUVD•added 2 days ago•4 views

EUVD-2026-34020

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values...

5.8AI score0.00018EPSS

Exploits0References3

NVD•added 2 days ago•6 views

CVE-2026-48596

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.addcontenttypeparam/2. Tesla.Multipart.addcontenttypeparam/2 appends caller-supplied strings to the multipart...

2.1CVSS0.00021EPSS

NVD•added 2 days ago•6 views

CVE-2026-48598

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.partheadersfordisposition/1 interpolates each disposition parameter as k="v" with no validation of CR \r, LF \n, o...

2.1CVSS0.00014EPSS

NVD•added 2 days ago•6 views

CVE-2026-38967

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values...

9.8CVSS0.00018EPSS

Exploits0References2

CVE•added 2 days ago•7 views

CVE-2026-48596

Summary: CVE-2026-48596 affects the Elixir Tesla library (tesla) in its multipart handling. The vulnerability is in Tesla.Multipart.add_content_type_param/2, which appends caller-supplied strings to content_type_params without validating CR (\r) or LF (\n). Tesla.Multipart.headers/1 then joins th...

2.1CVSS5.9AI score0.00021EPSS

ATTACKERKB•added 2 days ago•4 views

CVE-2026-48596

2.1CVSS5.9AI score0.00021EPSS

Exploits0References5Affected Software1

OSV•added 2 days ago•4 views

EEF-CVE-2026-48596 CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection

Summary Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.addcontenttypeparam/2. Tesla.Multipart.addcontenttypeparam/2 appends caller-supplied strings to the multipart...

2.1CVSS5.9AI score0.00021EPSS