166 matches found
CVE-2026-59892 OpenTelemetry JavaScript: Denial of service in `JaegerPropagator` via unhandled exception on a malformed header
OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx- HTTP header values with decodeURIComponent without handling decode errors, allowing an unauthenticated remote attacker to send a malformed...
CVE-2026-14631
A flaw was found in webpack-dev-server. An unauthenticated remote attacker could send a specially crafted HTTP request with a malformed Host header or a WebSocket upgrade with a malformed Origin header. This malformed input causes an uncaught exception, leading to the termination of the Node.js...
CVE-2026-14631
webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught...
CVE-2026-56762 Hono - Missing Cookie Name Validation in setCookie()
Hono before 4.12.12 does not validate cookie names on the write path in the setCookie, serialize, and serializeSigned functions, allowing invalid characters such as control characters e.g. \r or \n when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie...
CVE-2026-56762
Hono CVE-2026-56762 affects Hono before 4.12.12, where cookie-name validation is missing on the write path in setCookie(), serialize(), and serializeSigned(). This allows invalid characters (e.g., control chars like \r/\n) in user-controlled cookie names, producing malformed Set-Cookie header val...
CVE-2026-56762 Hono - Missing Cookie Name Validation in setCookie()
Hono before 4.12.12 does not validate cookie names on the write path in the setCookie, serialize, and serializeSigned functions, allowing invalid characters such as control characters e.g. \r or \n when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie...
CVE-2026-56762
Hono before 4.12.12 does not validate cookie names on the write path in the setCookie, serialize, and serializeSigned functions, allowing invalid characters such as control characters e.g. \r or \n when an application passes a user-controlled cookie name. This can produce malformed Set-Cookie...
EUVD-2026-38369
Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header ...
PT-2026-51407
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description A weak parsing issue exists in the x-limited-key-id header. Remote attackers can bypass subkey enforcement by submitting duplicate headers, zero, or malformed values that result in falsy values or N...
CLEANSTART-2026-SQ76279 Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU
Multiple security vulnerabilities affect the dex package. Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. See references for individual vulnerability details...
undertow: Undertow: Request Smuggling via Malformed HTTP Request Headers
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform...
undertow: Undertow: Request Smuggling via Malformed HTTP Request Headers
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform...
USN-8382-1 exim4 vulnerabilities
Timo Longin discovered that Exim incorrectly handled certain SMTP messages in PIPELINING/CHUNKING configurations. A remote attacker could possibly use this issue to perform SMTP smuggling. This issue only affected Ubuntu 14.04 LTS. CVE-2023-51766 It was discovered that Exim incorrectly handled...
CVE-2026-42585
A flaw was found in Netty. This vulnerability allows a remote attacker to perform request smuggling attacks due to incorrect parsing of malformed Transfer-Encoding headers. By exploiting this flaw, an attacker can bypass security controls and potentially access sensitive information or manipulate...
EUVD-2026-32542
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose...
Astra Linux – Vulnerability in tar
In the sparse.c file of GNU Tar, before version 1.32, there was a NULL pointer dereferencing issue when parsing certain archives that contained malformed extended headers...
CLSA-2026-1778828497 tar: Fix of CVE-2023-39804
CVE-2023-39804: fix crash on PAX archive with malformed extended header attributes in locatehandler and xattrdecoder...
tar: Fix of CVE-2019-9923
CVE-2019-9923: fix NULL pointer dereference in paxdecodeheader on malformed PAX extended headers...
USN-8228-1: Exim vulnerabilities
It was discovered that Exim incorrectly handled parsing malformed JSON in message headers. A remote attacker could possibly use this issue to execute arbitrary code. CVE-2026-40685 It was discovered that Exim incorrectly handled processing of UTF-8 trailing characters. A remote attacker could...
CLSA-2026-1777563191 tar: Fix of CVE-2019-9923
CVE-2019-9923: fix NULL pointer dereference in paxdecodeheader on malformed PAX extended headers...