8 matches found
CVE-2026-35577 Missing Host Header Validation in Apollo MCP Server for Localhost Deployments
Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run ...
CVE-2026-34715 ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)
ewe is a Gleam web server. Prior to version 3.0.6, the encodeheaders function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF \r\n sequences. An application that passes user-controlled data into...
CVE-2026-22779
BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests e.g. insert a new...
CVE-2023-2848
Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation...
CVE-2023-2848
Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation...
UBUNTU-CVE-2023-2848
Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation...
CVE-2023-2848
Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation...
Movim Access Control Error Vulnerability
Movim is a syndicated blogging and chat platform that acts as a web front end for the XMPP protocol. A security vulnerability exists in Movim versions prior to 0.22Z, which stems from a lack of header validation, leading to a cross-site WebSocket hijacking issue...