Lucene search
+L

277 matches found

Github Security Blog
Github Security Blog
added 2026/05/07 12:22 a.m.17 views

Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding

Summary Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. Details Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: chunked, identity" is present. According to RFC...

7.5CVSS6AI score0.00248EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/05/06 10:16 p.m.8 views

DEBIAN-CVE-2026-41417

Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri. The constructors reject CRLF and whitespace characters that would break the start-line, but setUri does not apply the same validation...

5.3CVSS5.8AI score0.00307EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/05/06 8:52 p.m.20 views

CVE-2026-41417

Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri. The constructors reject CRLF and whitespace characters that would break the start-line, but setUri does not apply the same validation...

5.3CVSS5.8AI score0.00307EPSS
Exploits1
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.8 views

HTTP Request Smuggling io.netty:netty-codec-http Dependency in Jira Software Data Center

This is a vulnerability in a non-Atlassian Jira dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This High severity HTTP Request Smuggling vulnerability was introduced in versions 9.12.1, 10.3.0, 11.3.0 of Jira Software Data Center and Jira...

7.5CVSS5.2AI score0.0064EPSS
Exploits1
SUSE Linux
SUSE Linux
added 2026/05/06 12:8 p.m.10 views

Security update for erlang

This update for erlang fixes the following issues: CVE-2026-21620: remote arbitrary read/write via TFTP relative path traversal bsc1258663. CVE-2026-23941: HTTP Request Smuggling in Erlang OTP bsc1259687. CVE-2026-23942: path traversal vulnerability in Erlang OTP bsc1259681. CVE-2026-23943: denia...

9.1CVSS7.2AI score0.00644EPSS
Exploits0References20
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/04 4:7 p.m.12 views

Security Bulletin: IBM Sterling Control Center is affected by vulnerabilities in jetty-http (CVE-2026-2332)

Summary IBM Sterling Control Center is affected by a vulnerability CVE-2026-2332 reported for jetty-http-12.0.25.jar. Vulnerability Details CVEID:CVE-2026-2332 DESCRIPTION: In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "fun...

9.1CVSS5.8AI score0.01127EPSS
Exploits1Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/05/04 12:0 a.m.14 views

RHCOS 4 : OpenShift Container Platform 4.16.45 (RHSA-2025:11682)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2025:11682 advisory. - net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 Note that Nessus has not tested for this...

9.1CVSS7.2AI score0.00778EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/04/30 12:0 a.m.16 views

Amazon Linux 2 : tomcat, --advisory ALAS2TOMCAT9-2026-025 (ALASTOMCAT9-2026-025)

The version of tomcat installed on the remote host is prior to 9.0.117-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2026-025 advisory. Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Apache Tomcat via...

9.1CVSS7.3AI score0.0504EPSS
Exploits3References20
Tenable Nessus
Tenable Nessus
added 2026/04/24 12:0 a.m.14 views

openSUSE 16 Security Update : erlang (openSUSE-SU-2026:20607-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20607-1 advisory. Security issues fixed: - CVE-2026-21620: improper isolation and compartmentalization can lead to TFTP relative path traversal and remote arbitra...

9.8CVSS5.8AI score0.00644EPSS
Exploits0References22
UbuntuCve
UbuntuCve
added 2026/04/23 10:16 p.m.7 views

CVE-2026-2708

A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soupmessageheadersappendcommon function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker...

5.3CVSS5.8AI score0.00321EPSS
Exploits1References1
OSV
OSV
added 2026/04/22 2:37 p.m.16 views

GHSA-XHJ4-VRGC-HR34 actix-http has HTTP/1.1 CL.TE Request Smuggling

A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length. Severit...

6.3CVSS5.8AI score
Exploits0References4
OSV
OSV
added 2026/04/22 11:46 a.m.7 views

SUSE-SU-2026:21374-1 Security update for erlang

This update for erlang fixes the following issues: Security issues fixed: - CVE-2026-21620: improper isolation and compartmentalization can lead to TFTP relative path traversal and remote arbitrary reads/writes bsc1258663. - CVE-2026-23941: improper handling of duplicate Content-Length headers in...

9.8CVSS7.5AI score0.00644EPSS
Exploits0References16
NVD
NVD
added 2026/04/21 3:16 p.m.7 views

CVE-2025-31958

HCL BigFix Service Management is susceptible to HTTP Request Smuggling. HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end...

8.2CVSS0.00177EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/17 6:51 p.m.16 views

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the Netty framework

Summary Due to use of the Netty framework, DevOps Test Performance and Rational Performance Tester contain a potential HTTP request smuggling vulnerability. Vulnerability Details CVEID:CVE-2026-33870 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions...

7.5CVSS5.7AI score0.0064EPSS
Exploits1Affected Software1
OSV
OSV
added 2026/04/15 1:37 p.m.4 views

SUSE-SU-2026:1353-1 Security update for netty, netty-tcnative

This update for netty, netty-tcnative fixes the following issues: Upidate to 4.1.132: - CVE-2026-33870: incorrectly parses quoted strings in HTTP/1.1 can lead to request smuggling bsc1261031. - CVE-2026-33871: sending a flood of CONTINUATION frames can lead to a denial of service bsc1261043...

8.7CVSS5.9AI score0.01125EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2026/04/10 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-24880

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Apache Tomcat via invalid chunk extension. This issue affects...

7.5CVSS7AI score0.00453EPSS
Exploits0References3
NVD
NVD
added 2026/04/09 8:16 p.m.4 views

CVE-2026-24880

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100,...

7.5CVSS0.00453EPSS
Exploits0References2
UbuntuCve
UbuntuCve
added 2026/04/09 8:16 p.m.3 views

CVE-2026-24880

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100,...

7.5CVSS5.8AI score0.00453EPSS
Exploits0References3
OSV
OSV
added 2026/04/09 8:16 p.m.5 views

UBUNTU-CVE-2026-24880

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100,...

7.5CVSS5.8AI score0.00453EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/04/09 12:37 p.m.2 views

ruby: Potential HTTP request smuggling in WEBrick

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

7.5CVSS6.6AI score0.03849EPSS
Exploits0References5
Rows per page
Query Builder