Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...

GHSA-V8J7-HP7C-738F Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...

SUSE CVE-2026-31747

In the Linux kernel, the following vulnerability has been resolved: comedi: me4000: Fix potential overrun of firmware buffer me4000xilinxdownload loads the firmware that was requested by requestfirmware. It is possible for it to overrun the source buffer because it blindly trusts the file format...

SUSE CVE-2026-32597

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 �4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting...

GHSA-7J59-V9QR-6FQ9 Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

Summary The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. This vulnerability is present in the RedirectHandlers...

NPM: Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

NPM: Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect vulnerability discovered by ? in WordPress Npm kiota-typescript versions 1.0.0-preview.100...

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling when parsed HTTP requests contain malformed Transfer-Encoding headers...

Netty Lz4FrameDecoder is vulnerable to resource exhaustion

Summary Lz4FrameDecoder allocates a ByteBuf of size decompressedLength up to 32 MB per block before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. Details...

Netty HTTP/3 QPACK literal unbounded allocation

Summary When Netty decodes HTTP/3 headers, it sometimes runs new bytelength using a length from the wire before checking that many bytes are really there. A small malicious header can claim a huge length on the order of a gigabyte. Details When decoding header blocks, the non-Huffman branch of...

GHSA-2C5C-CHWR-9HQW Netty HTTP/3 QPACK literal unbounded allocation

Summary When Netty decodes HTTP/3 headers, it sometimes runs new bytelength using a length from the wire before checking that many bytes are really there. A small malicious header can claim a huge length on the order of a gigabyte. Details When decoding header blocks, the non-Huffman branch of...

Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

NETTY HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization | Field | Value | |-----------|-------| | Library | io.netty:netty-codec-http | | Component | codec-http — HttpObjectDecoder | | Severity | HIGH | | Affects | HEAD, commit 4f3533ae confirmed | --- Summary HttpObjectDecoder strips a...

Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735)

Security Vulnerability Report: HTTP Header Injection via HttpProxyHandler Disabled Validation in Netty 1. Vulnerability Summary | Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final and all prior versions | | Component | io.netty.handler.proxy.HttpProxyHandler | |...

GHSA-45Q3-82M4-75JR Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735)

Security Vulnerability Report: HTTP Header Injection via HttpProxyHandler Disabled Validation in Netty 1. Vulnerability Summary | Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final and all prior versions | | Component | io.netty.handler.proxy.HttpProxyHandler | |...

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection in the newInitialMessage function of HttpProxyHandler when header validation is explicitly disabled and user-influenced outboundHeaders are added without sanitization. An attacker can inject arbitrary HTTP headers into...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: squid (UTSA-2026-016516)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016516 advisory. A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response head...

PT-2026-38408

Name of the Vulnerable Software and Affected Versions microsoft-kiota-http-okHttp versions 1.9.0 and earlier kiota-dotnet affected versions not specified kiota-java affected versions not specified kiota-python affected versions not specified kiota-typescript affected versions not specified...

PT-2026-38375

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.2.13.Final Description When decoding HTTP/3 header blocks, the non-Huffman branch of the decodeHuffmanEncodedLiteral function in io.netty.handler.codec.http3.QpackDecoder may execute new bytelength for a string litera...

Linux Distros Unpatched Vulnerability : CVE-2026-43254

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ovpn: tcp - fix packet extraction from stream When processing TCP stream data in ovpntcprecv, we receive large cloned skbs from strprcv that may contain multipl...

PT-2026-38371

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final Description Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage function creates headers using...

PT-2026-38411

Name of the Vulnerable Software and Affected Versions Kubetail Dashboard versions prior to 0.14.0 Kubetail Helm Chart versions prior to 0.23.0 Kubetail CLI versions prior to 0.16.0 Description Kubetail's dashboard exposes WebSocket endpoints that do not adequately validate the Origin header durin...