OPENSUSE-SU-2026:20204-1 Security update for python-aiohttp, python-Brotli

This update for python-aiohttp, python-Brotli fixes the following issues: Changes in python-aiohttp: - CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. - CVE-2025-69226: Fixed brute-force leak of internal static file path components bsc1256020. - CVE-2025-69224: Fixed...

CVE-2026-25223 Fastify's Content-Type header tab character allows body validation bypass

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character \t followed by arbitrary content ...

📄 Gakido CRLF Injection

A vulnerability was discovered in Gakido that allowed HTTP header injection through CRLF sequences in user-supplied header values and names. Versions prior to 0.1.1 are affected. Gakido - CRLF Injection Advisory ID: RO-26-005 CVE ID: CVE-2026-24489 Severity: Medium Vendor: HappyHackingSpace...

Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 1.0.311 Vulnerability Details CVEID:CVE-2025-4878 DESCRIPTION: A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekeyfromfile function...

DoS due to improper input validation vulnerability in Apache Tomcat - CVE-2024-24549

A vulnerability was found in the Tomcat package due to its handling of HTTP/2 requests. Specifically, when an HTTP/2 request surpasses the predetermined limits for headers configured within the server, the associated HTTP/2 stream isn't reset immediately. Instead, the reset action occurs only aft...

CVE-2021-31401

An issue was discovered in tcprcv in nptcp.c in HCC embedded InterNiche 4.0.1. The TCP header processing code doesn't sanitize the value of the IP total length field header length + data length. With a crafted IP packet, an integer overflow occurs whenever the value of the IP data length is...

CVE-2025-69224 AIOHTTP's Unicode processing of header values could cause parsing discrepancies

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed i.e. without the usual C extensions ...

PT-2026-26045

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a flaw within the RDMA/siw component related to header processing. Specifically, a potential NULL pointer dereference can occur in the siw tcp rx data function ...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS via the LocalNode.Sess function when processing a crafted Local SEID header in a PFCP Session Modification Request. An attacker can disrupt service availability or cause other unintended effects by sending speciall...

Apache Commons FileUpload < 1.6 , 2.0.0-M1 < 2.0.0-M4 Denial of Service (CVE-2025-48976)

The version of Apache Commons FileUpload on the remote host is 1.6 , 2.0.0-M1 2.0.0-M4. It is, therefore, affected by a denial of service vulnerability due to allocation of resources for multipart headers with insufficient limits. Note that Nessus has not tested for these issues but has instead...

UBUNTU-CVE-2025-64702

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header...

EUVD-2025-201455

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTEADDR, REMOTEPORT,...

EUVD-2025-199588

Security Point Windows of MaLion and MaLionCloud contains a stack-based buffer overflow vulnerability in processing HTTP headers. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with SYSTEM privilege...

PT-2025-48024

Security Point Windows of MaLion and MaLionCloud contains a stack-based buffer overflow vulnerability in processing HTTP headers. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with SYSTEM privilege...

Django: ASGIRequest header concatenation quadratic CPU DoS on Django via repeated headers leads to worker exhaustion

ASGIRequest header concatenation quadratic CPU DoS Reporter: Jiyong Yang / BAEKSEOK University Target: Django current main, affects all versions with ASGI support Type: Denial of Service CPU exhaustion Summary django.core.handlers.asgi.ASGIRequest builds the META dictionary by iterating over the...

Linux Distros Unpatched Vulnerability : CVE-2025-52194

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A buffer overflow vulnerability exists in libsndfile version 1.2.2 and potentially earlier versions when processing malformed IRCAM audio files. The vulnerabili...

The vulnerability of the Squid proxy server, related to buffer overflows in the dynamic memory when processing URN headers, allows attackers to execute arbitrary code.

The vulnerability of the Squid proxy server is related to the overflow of buffers in the dynamic memory during the processing of URN headers. Exploiting this vulnerability allows a remote attacker to execute arbitrary code by sending specially crafted HTTP requests...

koa 安全漏洞

koa is a Koa.js open source expressive middleware using node.js. A security vulnerability exists in koa 3.0.0 and earlier versions, which stems from a misbehavior of the parameter Referrer in the HTTP header processing component, which could lead to an open redirect...

The vulnerability of the websReadEvent() function in Intelbras RX 1500 router microprogramming software allows a intruder to execute arbitrary code or cause a service failure.

The vulnerability of the websReadEvent function in Intelbras RX 1500 router microprogramming software is related to integer overflow during the processing of the http header field. Exploiting this vulnerability allows a remote attacker to execute arbitrary code or cause a service failure by sendi...

diyhi bbs 安全漏洞

diyhi bbs patrol cloud light forum system is a forum system for diyhi individual developers. A security vulnerability exists in diyhi bbs version 6.8 and earlier, which stems from improper manipulation of the Host parameter in the getUrl function of the HTTP header processing component, which cou...