Apache Tomcat - HTTP Request Smuggling

Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicio...

PT-2026-45941

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat x0b, x0c, x1c, x1d, x1e, or x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

SUSE CVE-2026-45372

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check isfieldvalue is run before decoding, so encode...

CVE-2026-48682

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the IPv4 packet parser. In src/simplepacketparserng.cpp, after validating that the packet contains at least sizeofipv4headert bytes 20 bytes, the code advances the localpointer by '4 ipv4header-getihl' line 164 without...

Updated perl-IO-Compress package fixes security vulnerabilities

The updated package fixes security vulnerabilities: IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. CVE-2025-15649 IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in...

CVE-2026-8468

Allocation of Resources Without Limits or Throttling vulnerability in plugproject plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':readpartheaders/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on t...

Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy

...

CVE-2025-15649 IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. dosToUnixTime decodes the local-file-header last-modification date field and calls Time::Local::timelocal without an eval guard. A header whose date field decodes to ...

CVE-2025-15649

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. dosToUnixTime decodes the local-file-header last-modification date field and calls Time::Local::timelocal without an eval guard. A header whose date field decodes to ...

CVE-2026-47066

Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackneyaltsvc.erl does not guarantee forward progress. When parsetoken/2 receives a non-token, non-whitespace, non-comma byte e.g. !, @, =, ...

Fedora 43 : python-pulp-glue / python-requests (2026-8ad863685a)

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-8ad863685a advisory. 2.33.1 2026-03-30 ------------------- Bugfixes - Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. - Fixed...

SUSE CVE-2026-44067

A heap over-read in extended attribute EA header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data...

Linux Distros Unpatched Vulnerability : CVE-2026-8466

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart...

RockyLinux 8 : osbuild-composer (RLSA-2025:7967)

The remote RockyLinux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2025:7967 advisory. golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing CVE-2025-30204 Tenable has extracted the preceding description block directly from...

RLSA-2025:7967 Important: osbuild-composer security update

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients. Security Fixes:...

osbuild-composer security update

An update is available for osbuild-composer. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list A service for building customized OS artifacts, such as VM images an...

CVE-2026-44067

A heap over-read in extended attribute EA header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data...

CVE-2026-44067

A heap over-read in extended attribute EA header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data...

EUVD-2026-31214

A heap over-read in extended attribute EA header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data...

CVE-2026-44067 EA header parsing heap over-read

A heap over-read in extended attribute EA header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data...