Lucene search
+L

564 matches found

RedhatCVE
RedhatCVE
added 2026/04/10 9:22 p.m.4 views

CVE-2026-39983

A flaw was found in basic-ftp, an FTP client for Node.js. A remote attacker can exploit this vulnerability by injecting Carriage Return Line Feed CRLF sequences into file path parameters used by high-level APIs. This allows the attacker to split a single intended FTP command into multiple command...

8.6CVSS6AI score0.02185EPSS
Exploits1References6
RedHat Linux
RedHat Linux
added 2026/04/10 6:51 p.m.2 views

busybox: BusyBox wget: HTTP request-target allows header injection

A flaw was found in BusyBox wget. This vulnerability allows header injection via raw CR/LF and other C0 control bytes in the HTTP request-target. An attacker can exploit this by crafting a URL containing these control characters to inject arbitrary HTTP headers into the outgoing request,...

6.5CVSS6.8AI score0.00285EPSS
Exploits1References7
EUVD
EUVD
added 2026/04/10 6:31 p.m.4 views

EUVD-2026-21519

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...

5.7CVSS5.8AI score0.00562EPSS
Exploits0References5
UbuntuCve
UbuntuCve
added 2026/04/10 6:16 p.m.4 views

CVE-2026-1502

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...

5.7CVSS5.8AI score0.00562EPSS
Exploits0References5
OSV
OSV
added 2026/04/10 6:16 p.m.7 views

UBUNTU-CVE-2026-1502

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...

5.7CVSS5.8AI score0.00562EPSS
Exploits0References6
OSV
OSV
added 2026/04/10 5:54 p.m.14 views

PSF-2026-15

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...

5.7CVSS5.8AI score0.00562EPSS
Exploits0References9
Debian CVE
Debian CVE
added 2026/04/10 5:54 p.m.6 views

CVE-2026-1502

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...

5.7CVSS5.2AI score0.00562EPSS
Exploits0
Cvelist
Cvelist
added 2026/04/10 5:54 p.m.70 views

CVE-2026-1502 HTTP client proxy tunnel headers not validated for CR/LF

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...

5.7CVSS0.00562EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/04/10 5:54 p.m.6 views

CVE-2026-1502

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...

5.7CVSS5.8AI score0.00562EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2026/04/10 5:54 p.m.50 views

CVE-2026-1502

The CVE-2026-1502 entry concerns CR/LF bytes not being rejected by HTTP client proxy tunnel headers or host, as described in both the CVE record and the CVE-List entry. The connected documents indicate this is related to HTTP client proxy tunnel header validation, without providing specific affec...

5.7CVSS5.8AI score0.00562EPSS
Exploits0References10
CVE
CVE
added 2026/04/10 4:8 p.m.18 views

CVE-2026-35601

CVE-2026-35601 affects Vikunja prior to 2.3.0 where the CalDAV output generator concatenates iCalendar VTODO fields without RFC 5545 escaping. User-controlled task titles containing CRLF can break the SUMMARY boundary, enabling injection of arbitrary iCalendar properties such as ATTACH, VALARM, o...

4.1CVSS5.9AI score0.00196EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/10 3:40 p.m.4 views

CVE-2026-34478 Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.htmlRFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect user...

6.9CVSS5.8AI score0.00831EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/10 3:35 p.m.12 views

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output

Summary The CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as...

4.1CVSS5.9AI score0.00196EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/04/09 6:17 p.m.6 views

UBUNTU-CVE-2026-39983

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handle...

8.6CVSS5.8AI score0.02185EPSS
Exploits1References5
EUVD
EUVD
added 2026/04/09 5:5 p.m.6 views

EUVD-2026-20976

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handle...

8.6CVSS5.9AI score0.02185EPSS
Exploits1References3
OSV
OSV
added 2026/04/09 5:5 p.m.2 views

CVE-2026-39983 FTP Command Injection via CRLF in basic-ftp

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handle...

8.6CVSS7.2AI score0.02185EPSS
Exploits1References10
RedHat Linux
RedHat Linux
added 2026/04/09 12:37 p.m.4 views

ruby: HTTP response splitting in WEBrick

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients...

5.3CVSS6.6AI score0.04569EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/08 3:5 p.m.4 views

CRLF Injection

Overview org.webjars.npm:nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to CRLF Injection via the name configuration configuration option. An attacker can inject arbitrary SMTP commands by supplying carriage return and...

6.9CVSS6AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/08 3:5 p.m.23 views

Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)

Summary Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport name configuration option. The name value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters \r\n. A...

6AI score
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/08 2:32 p.m.27 views

CVE-2026-39394 CI4MS has an .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which...

8.1CVSS0.00516EPSS
Exploits1References1
Rows per page
Query Builder