EUVD-2026-35131

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cowhttpstructhd:escapestring/2 in cowlib only escapes \ and ", passing all other byt...

SUSE-SU-2026:22050-1 Security update for elemental-register

This update for elemental-register fixes the following issue - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260277. Changes: - Update to v1.9.2: 71d1fb9c Local node labels 984 ce6acda9 Bump golang.org/x/net to v0.55...

PT-2026-47347

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow http struct hd:escape string/2 in cowlib only escapes and ", passing all other...

Amazon Linux 2023 : tomcat10, tomcat10-admin-webapps, tomcat10-el-5.0-api (ALAS2023-2026-1776)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1776 advisory. Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from...

Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2026-1770)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1770 advisory. Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from...

CVE-2026-43870

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal', Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting', Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift:...

BIT-ACTIVEMQ-2026-42253 Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

Traefik 2.11.x < 2.11.38 / 3.x < 3.6.9 Connection Header Bypass

The version of Traefik installed on the remote macOS host is 2.11.x prior to 2.11.38 or 3.x prior to 3.6.9. It is, therefore, affected by a vulnerability: - A flaw exists in HTTP/1.1 request handling due to case-sensitive comparison of Connection header tokens against protected header names. An...

PT-2026-45992

Mercusys AC12G EU V1 router with firmware AC12GEU V1 200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...

PT-2026-45941

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat x0b, x0c, x1c, x1d, x1e, or x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

CVE-2026-48596 CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.addcontenttypeparam/2. Tesla.Multipart.addcontenttypeparam/2 appends caller-supplied strings to the multipart...

Security Bulletin: Multiple Vulnerabilities in IBM Bob

Summary Multiple vulnerabilities were addressed in IBM Bob V 1.0.3 Vulnerability Details CVEID:CVE-2026-40175 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype...

PT-2026-45839

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add content type param/2. Tesla.Multipart.add content type param/2 appends caller-supplied strings to the multipart...

CVE-2026-10269

Summary (CVE-2026-10269) : A vulnerability in decolua 9router

CVE-2026-42253

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

9Router 授权问题漏洞

9Router is an intelligent routing and authorization AI model proxy tool developed by decolua’s individual developers. Versions of 9Router prior to 0.4.0 contained an authorization vulnerability. This vulnerability stemmed from incorrect handling of the Host parameter in the function isAuthenticat...

python3.14 security update

An update is available for python3.14. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Python is an interpreted, interactive, object-oriented programming...

Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Patch Bypass Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2 Summary The Object.createnull fix introduced in Axios 1.15.2 GHSA-q8qp-cvcw-x6jj protects the top-level config object from prototype pollution. However, nested objects created...

Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2026-40175)

Summary IBM Security SOAR uses an older version of the Axios component that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.10.0 Vulnerability Details CVEID:CVE-2026-40175 DESCRIPTION: Axios i...

CLSA-2026-1779968889 Fix of 7 CVEs

SECURITY UPDATE: Authentication Bypass in digest authentication - debian/patches/CVE-2026-43512.patch: reject digest authentication attempts for unknown users in getDigest - CVE-2026-43512 SECURITY UPDATE: Account lockout bypass in LockOutRealm via case variation of user names -...