Lucene search
K

877 matches found

Patchstack
Patchstack
added 2026/06/19 2:21 p.m.7 views

NPM: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

NPM: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding vulnerability discovered by ? in WordPress Npm undici versions 6.27.0...

5.9CVSS5.8AI score0.00257EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/19 2:21 p.m.11 views

GHSA-P88M-4JFJ-68FV undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

Impact undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...

5.9CVSS6AI score0.00257EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/18 3:4 p.m.8 views

Kirby: Request header injection in `Http\Remote`

TL;DR This vulnerability affects Kirby sites and plugins that use the Kirby\Http\Remote class including Remote::request, Remote::get, Remote::post, and similar helpers to send outgoing HTTP requests and that pass untrusted, user-controlled data into the headers option of such a request. By...

6.9CVSS5.9AI score0.0029EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.13 views

PT-2026-50722

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Kirby sites and plugins using the KirbyHttpRemote class, including the functions Remote::request, Remote::get, and Remote::post, are susceptible to HTTP header injection...

6.9CVSS6AI score0.0029EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/06/17 11:9 p.m.8 views

CVE-2026-9679

A flaw was found in undici. The cookie parser in the parseSetCookie function incorrectly decodes cookie values, which is contrary to standard specifications. This vulnerability allows an attacker-controlled upstream to inject arbitrary HTTP response headers, such as Set-Cookie, Location, or...

5.9CVSS5AI score0.00257EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/17 4:56 p.m.25 views

CVE-2026-9679 undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...

5.9CVSS0.00257EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/17 12:0 a.m.8 views

Bosch Security Systems IP Cameras Improper Input Validation (CVE-2021-23853)

In Bosch IP cameras, improper validation of the HTTP header allows an attacker to inject arbitrary HTTP headers through crafted URLs. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C Tenable, Inc...

9.8CVSS8.5AI score0.00856EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/11 2:44 p.m.11 views

EUVD-2026-36252

IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

6.5CVSS5.3AI score0.00149EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.19 views

PT-2026-48672

Name of the Vulnerable Software and Affected Versions IBM DevOps Plan versions 3.0.0 through 3.0.6 Description An issue exists due to improper validation of input within the Host header of HTTP requests. This allows for HTTP header injection, which can be leveraged to perform cross-site scripting...

6.5CVSS5.7AI score0.00149EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/06/11 12:0 a.m.7 views

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 26.04 LTS : Netty vulnerabilities (USN-8401-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8401-1 advisory. It was discovered that Netty's HTTP proxy handler did not properly validate heade...

9.8CVSS7.5AI score0.00969EPSS
Exploits6References7
RedHat Linux
RedHat Linux
added 2026/06/10 12:5 p.m.14 views

Important: Red Hat Security Advisory: Red Hat build of Quarkus 3.27.4 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more informatio...

9.8CVSS6.8AI score0.00969EPSS
Exploits5References35
Tenable Nessus
Tenable Nessus
added 2026/06/10 12:0 a.m.11 views

EulerOS 2.0 SP13 : busybox (EulerOS-SA-2026-2324)

According to the versions of the busybox packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : BusyBox wget thru 1.3.7 accepted raw CR 0x0D/LF 0x0A and other C0 control bytes in the HTTP request- target path/query, allowing the request line...

6.5CVSS7.2AI score0.00285EPSS
Exploits1References2
SUSE Linux
SUSE Linux
added 2026/06/09 8:14 a.m.12 views

Security update for netty, netty-tcnative

This update for netty, netty-tcnative fixes the following issues CVE-2026-41417: missing validations leads to HTTP request smuggling and RTSP request injection via start-line injection in DefaultHttpRequest.setUri bsc1264350. CVE-2026-42578: HTTP Header Injection via HttpProxyHandler Disabled...

8.8CVSS6.7AI score0.00969EPSS
Exploits11References48
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/09 6:7 a.m.10 views

Security Bulletin: IBM Cloud Pak for Data System 1.0 is affected by multiple vulnerabilities

Summary IBM Cloud Pak for Data System 1.0 CPDS 1.0 includes multiple third-party components that are affected by various security vulnerabilities. These vulnerabilities include denial of service issues in the Linux kernel and Python components, command injection vulnerabilities in Python's imapli...

8.8CVSS7.6AI score0.01525EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/06/05 5:38 a.m.13 views

BIT-ACTIVEMQ-2026-42253 Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

6.1CVSS5.4AI score0.01107EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.21 views

PT-2026-45839

Name of the Vulnerable Software and Affected Versions tesla versions 0.8.0 through 1.18.2 Description Improper Neutralization of CRLF Sequences in HTTP Headers, also known as HTTP Request/Response Splitting, allows HTTP header injection. The function add content type param/2 within the...

2.1CVSS6.1AI score0.0017EPSS
Exploits0References13
ATTACKERKB
ATTACKERKB
added 2026/06/01 7:23 a.m.12 views

CVE-2026-42253

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

5.8AI score0.01107EPSS
Exploits1References2Affected Software2
Rockylinux
Rockylinux
added 2026/05/29 4:3 p.m.23 views

python3.14 security update

An update is available for python3.14. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Python is an interpreted, interactive, object-oriented programming...

9.1CVSS6.4AI score0.00621EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/05/29 3:51 p.m.16 views

Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Patch Bypass Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2 Summary The Object.createnull fix introduced in Axios 1.15.2 GHSA-q8qp-cvcw-x6jj protects the top-level config object from prototype pollution. However, nested objects created...

5.3CVSS5.8AI score0.00228EPSS
Exploits1References4Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/27 6:40 a.m.19 views

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana within Instana Agent container image build 1.0.319 Vulnerability Details CVEID:CVE-2026-33871 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and...

9.8CVSS7.5AI score0.01125EPSS
Exploits4Affected Software1
Rows per page
Query Builder