Lucene search
K

737 matches found

Cvelist
Cvelist
added 2026/05/13 5:57 p.m.47 views

CVE-2026-42578 Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...

6.3CVSS0.00667EPSS
Exploits1References1
CVE
CVE
added 2026/05/13 5:57 p.m.51 views

CVE-2026-42578

Netty CVE-2026-42578 affects HttpProxyHandler prior to 4.2.13.Final and 4.1.133.Final. The issue arises because HttpProxyHandler builds CONNECT requests with header validation disabled (newInitialMessage uses DefaultHttpHeadersFactory.headersFactory().withValidation(false) and then appends user-p...

7.5CVSS5.9AI score0.00667EPSS
Exploits1References8Affected Software1
RedHat Linux
RedHat Linux
added 2026/05/13 3:29 p.m.6 views

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

7.5CVSS6.6AI score0.00269EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.8 views

Netty 注入漏洞

Netty is a non-blocking I/O client-server framework developed by the Netty community. It is primarily used for developing Java network applications, such as protocol servers and clients. Versions of Netty prior to 4.2.13.Final and 4.1.133.Final contained an injection vulnerability. This...

7.5CVSS6.9AI score0.00667EPSS
Exploits1References1
OSV
OSV
added 2026/05/12 6:30 p.m.7 views

GHSA-R29C-68GH-XP6X Apache Tomcat - HTTP/2 request headers not validated

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: HTTP/2 request headers were not validated which may have triggered unexpected application behaviour if the...

9.8CVSS5.8AI score0.01339EPSS
Exploits0References16
CVE
CVE
added 2026/05/12 3:19 p.m.95 views

CVE-2026-41293

Summary: CVE-2026-41293 is an Apache Tomcat vulnerability described as an Improper Input Validation issue. The connected sources confirm impact across multiple Tomcat branches: 11.0.0-M1 to 11.0.21, 10.1.0-M1 to 10.1.54, 9.0.0.M1 to 9.0.117, and 10.0.0-M1 to 10.0.27. The CVSS 3.1 data indicates a...

9.8CVSS5.7AI score0.01339EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/11 3:54 p.m.18 views

GHSA-WFC6-R584-VFW7 Next.js vulnerable to cache poisoning in React Server Component responses

Impact Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later...

5.4CVSS5.8AI score0.0025EPSS
Exploits0References5
Debian
Debian
added 2026/05/09 11:35 a.m.8 views

[SECURITY] [DSA 6259-1] pyjwt security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6259-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 09, 2026 https://www.debian.org/security/faq -...

7.5CVSS6.7AI score0.00269EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/05/07 2:34 a.m.19 views

Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...

6.5CVSS5.8AI score0.0017EPSS
Exploits0References3Affected Software2
OSV
OSV
added 2026/05/07 2:34 a.m.13 views

GHSA-V8J7-HP7C-738F Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...

6.5CVSS5.8AI score0.0017EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/07 12:11 a.m.22 views

Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735)

Security Vulnerability Report: HTTP Header Injection via HttpProxyHandler Disabled Validation in Netty 1. Vulnerability Summary | Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final and all prior versions | | Component | io.netty.handler.proxy.HttpProxyHandler | |...

7.5CVSS7AI score0.00667EPSS
Exploits2References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.9 views

PT-2026-38371

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final Description Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage function creates headers using...

9.8CVSS5.9AI score0.00667EPSS
Exploits1References475
Tenable Nessus
Tenable Nessus
added 2026/05/07 12:0 a.m.9 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: squid (UTSA-2026-016516)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016516 advisory. A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response head...

7.5CVSS7.1AI score0.05229EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/05/06 1:41 a.m.15 views

SUSE CVE-2026-43037

In the Linux kernel, the following vulnerability has been resolved: ip6tunnel: clear skb2-cb in ip4ip6err Oskar Kjos reported the following problem. ip4ip6err calls icmpsend on a cloned skb whose cb was written by the IPv6 receive path as struct inet6skbparm. icmpsend passes IPCBskb2 to...

7.5CVSS5.8AI score0.00563EPSS
Exploits0References27
NVD
NVD
added 2026/05/05 10:16 p.m.14 views

CVE-2026-40110

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match to check incoming origins against the alloworiginpat configuration value. Because re.match only anchors at the start of the string and does not require a...

7.6CVSS0.00333EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 2026/05/05 10:32 a.m.9 views

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

7.5CVSS7.2AI score0.00269EPSS
Exploits1References5
NVD
NVD
added 2026/05/04 6:16 p.m.7 views

CVE-2026-42146

CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nbcolors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nbcolors value triggers an...

5.5CVSS0.00119EPSS
Exploits0References4
CVE
CVE
added 2026/05/04 5:42 a.m.41 views

CVE-2026-29199

CVE-2026-29199 affects phpBB prior to 3.3.16. The issue is a Host Header Injection in which, when force_server_vars is disabled, the server hostname is sourced from the HTTP Host header to build the password reset URL. An attacker who can control or influence the Host header can cause password re...

8.1CVSS5.8AI score0.00249EPSS
Exploits0References1Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/05/02 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2026-43037

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ip6tunnel: clear skb2-cb in ip4ip6err Oskar Kjos reported the following problem. ip4ip6err calls icmpsend on a cloned skb whose cb was written by the IPv6 recei...

9.8CVSS6.3AI score0.00563EPSS
Exploits0References3
NVD
NVD
added 2026/05/01 3:16 p.m.6 views

CVE-2026-43037

In the Linux kernel, the following vulnerability has been resolved: ip6tunnel: clear skb2-cb in ip4ip6err Oskar Kjos reported the following problem. ip4ip6err calls icmpsend on a cloned skb whose cb was written by the IPv6 receive path as struct inet6skbparm. icmpsend passes IPCBskb2 to...

9.8CVSS0.00563EPSS
Exploits0References42
Rows per page
Query Builder