SUSE CVE-2026-34525

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4...

libsoup: libsoup: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (First- vs Last-Value Wins)

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the...

CVE-2025-14523

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the...

PT-2025-50606

Name of the Vulnerable Software and Affected Versions libsoup versions 2.4 and 3.x Description A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request, with the server processing the last occurrence. This discrepancy between how front proxies and the backend server...

EUVD-2017-16764

Malware in sbrugna...

EUVD-2024-0590

Malicious code in bioql PyPI...

CVE-2024-24753

Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relie...

CVE-2024-7625

In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability,...

GHSA-99F9-GV72-FW9R Bref Doesn't Support Multiple Value Headers in ApiGatewayFormatV2

Impacted Resources bref/src/Event/Http/HttpResponse.php:61-90 Description When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. Precisely, if PHP generates a response with two headers having the same key but different values only the...

DEBIAN-CVE-2023-38199

coreruleset aka OWASP ModSecurity Core Rule Set through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the...

CVE-2023-38199

coreruleset aka OWASP ModSecurity Core Rule Set through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the...

ALPINE-CVE-2023-23916

An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...

SUSE CVE-2017-7789

If a server sends two Strict-Transport-Security STS headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security HSTS will not be enabled for the connection. This vulnerability affects Firefox 55...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

Lightbeed Akka Akka-http Environment Issue Vulnerability

Lightbeed Akka Akka-http is a toolkit from the Lightbeed community in China. It provides a more generalized toolkit for providing and using HTTP-based services. An environment issue vulnerability exists in com.typesafe.akka:akka-http-core that allows multiple Transfer-Encoding headers...

CVE-2021-21444

SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents. This could, as a result, nullify the added X-Frame-Options header leading to Clickjacking attack...

envoyproxy/envoy: incorrectly handles multiple HTTP headers in requests

An incorrect access control bypass vulnerability was found in envoy proxy/envoy. This flaw allows an attacker to send multiple HTTP headers where only the first one is valid. Envoy then forwards all of the headers as valid to the upstream component. This issue allows an attacker to subvert any...

netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a...

DEBIAN-CVE-2012-3526

The reverse proxy add forward module modrpaf 0.5 and 0.6 for the Apache HTTP Server allows remote attackers to cause a denial of service server or application crash via multiple X-Forwarded-For headers in a request...

CVE-2011-3000

Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, which makes it easier for remote attackers to conduct HTTP response splitting...