546 matches found
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: libsoup (UTSA-2026-014298)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-014298 advisory. A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF Carriage Return Line Feed Injection, occurs when an HTTP proxy is configured a...
GHSA-C3H8-G69V-PJRG i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header
Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...
PT-2026-33702
SD-330AC and AMC Manager provided by silex technology, Inc. contain an improper neutralization of CRLF sequences 'CRLF Injection' vulnerability. Processing some crafted configuration data may lead to arbitrary entries injected to the system configuration...
CVE-2026-6351
MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files...
CVE-2026-6351 Openfind|MailGates/MailAudit - CRLF Injection
MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files...
HTTP client proxy tunnel headers not validated for CR/LF
...
HTTP Response Splitting
Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the MailAddressParser.TryParseAddress function due to improper neutralisation of CRLF sequences. An attacker can impersonate another user or entity by sending specially crafted data over the network...
CVE-2026-1502
A flaw was found in Python. This vulnerability allows for the injection of extra information into HTTP communication. Specifically, the system does not properly prevent special characters carriage return and line feed from being included in HTTP client proxy tunnel headers or host fields...
CVE-2026-39983
A flaw was found in basic-ftp, an FTP client for Node.js. A remote attacker can exploit this vulnerability by injecting Carriage Return Line Feed CRLF sequences into file path parameters used by high-level APIs. This allows the attacker to split a single intended FTP command into multiple command...
EUVD-2026-21519
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...
UBUNTU-CVE-2026-1502
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...
CVE-2026-1502
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...
PSF-2026-15
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...
CVE-2026-1502
The CVE-2026-1502 entry concerns CR/LF bytes not being rejected by HTTP client proxy tunnel headers or host, as described in both the CVE record and the CVE-List entry. The connected documents indicate this is related to HTTP client proxy tunnel header validation, without providing specific affec...
CVE-2026-1502
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...
CVE-2026-1502
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...
CVE-2026-1502 HTTP client proxy tunnel headers not validated for CR/LF
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...
CVE-2026-35601
CVE-2026-35601 affects Vikunja prior to 2.3.0 where the CalDAV output generator concatenates iCalendar VTODO fields without RFC 5545 escaping. User-controlled task titles containing CRLF can break the SUMMARY boundary, enabling injection of arbitrary iCalendar properties such as ATTACH, VALARM, o...
CVE-2026-34478 Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.htmlRFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect user...
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
Summary The CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as...