13007 matches found
EUVD-2025-210242
Unauthenticated Local File Inclusion in Line Agency = 1.3.1 versions...
CVE-2025-69175 WordPress Line Agency theme <= 1.3.1 - Local File Inclusion vulnerability
Unauthenticated Local File Inclusion in Line Agency = 1.3.1 versions...
CVE-2026-27869 WEB SERVICE (HTTP) DENIAL OF SERVICE VIA SLOW HEADERS ON REGESTA SMART HD-PLC OF TELDAT
An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat in this case, NO registration action is required who has the vulnerable software could, with a Slow Loris attack, cause Denial of Service DoS on the web interface of the device. This issue affects Regesta Smart...
postgresql: PostgreSQL libpq: Buffer overflow allows server superuser to overwrite client stack memory
A flaw was found in PostgreSQL libpq. A server superuser can exploit a buffer overflow vulnerability in the PQfn function, which is used by client functions such as loexport, loread, lolseek64, and lotell64. This allows the superuser to send an arbitrarily large response, overwriting the client's...
[SECURITY] Fedora 44 Update: 7zip-26.01-1.fc44
7-Zip is a file archiver with a high compression ratio. The main features of 7-Zip are: High compression ratio in 7z format with LZMA and LZMA2 compression Supported formats: Packing / unpacking: 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM Unpacking only: AR, ARJ, CAB, CHM, CPIO, CramFS, DMG, EXT, FAT,...
EUVD-2026-36468
Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted...
Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
Summary Before reading the first request-line, HttpObjectDecoder skips every byte for which Character.isISOControlb is true 0x00–0x1F and 0x7F as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance...
GHSA-63HW-FMQ6-XXG2 aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
Summary It is possible to bypass the maxlinesize check in parts of an HTTP request in the C parser. Impact If using the optimised C parser the default in pre-built wheels, then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potential...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the C HTTP parser when the maxlinesize check is bypassed for fragmented lines. An attacker can cause excessive memory consumption by sending oversized HTTP request lines, potential...
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
Summary It is possible to bypass the maxlinesize check in parts of an HTTP request in the C parser. Impact If using the optimised C parser the default in pre-built wheels, then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potential...
GHSA-M6QW-4CW2-HM4M aiohttp: CRLF injection in multipart headers
Summary Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. Impact In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.appendheaders=... or Payload.headers, the...
GHSA-HMW2-7CC7-3QXX form-data: CRLF injection in form-data via unescaped multipart field names and filenames
Summary form-data builds multipart/form-data request bodies. Through v4.0.5, the field name passed to FormDataappend and the filename option are concatenated directly into the Content-Disposition header with no escaping of CR \r, LF \n, or ". An application that uses untrusted input as a field na...
CVE-2026-50020
A flaw was found in Netty. The HttpObjectDecoder component, which processes incoming HTTP requests, incorrectly skips certain control characters and whitespace before reading the first request line. This behavior, which goes beyond standard HTTP protocol requirements, can lead to request-boundary...
UBUNTU-CVE-2026-43966
Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cowhttpstructhd:escapestring/2 in cowlib only escapes \ and ", passing all other byt...
PT-2026-49591
Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.14.1 Description An issue exists in the C parser of the asynchronous HTTP client/server framework where the max line size check can be bypassed in parts of an HTTP request. When using the optimized C parser, which i...
PT-2026-49536
Name of the Vulnerable Software and Affected Versions browserstack-cypress-cli versions prior to 1.36.4 Description The browserstack-cypress-cli allows users to run Cypress tests on BrowserStack. An OS command injection is possible through the cypress config file configuration parameter. In the...
Malicious code in claudechor (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a9cbb36cf7ed82685830b5d3a2b341bff9ef86e2688842d1f54259b2b6fb533 The package's bin entry reads installer-owned Claude credential files /.claude/.credentials.json and /.claude.json — written by Anthropic's official...
CVE-2026-42853
Vulnerability: CVE-2026-42853 affects ApostropheCMS CLI (@apostrophecms/cli) versions up to 3.6.0. Description: command injection in the apos create flow caused by embedding unsanitized password-prompt input directly into a shell command, enabling arbitrary command execution on the host. Root cau...
CVE-2026-42850
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as su...
aetherion
/\ | | | | | |...