539 matches found
frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control
Summary frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses...
AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects
Impact When redirect following is enabled followRedirecttrue, AsyncHttpClient forwards Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and...
PT-2026-33219
The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled followRedirecttrue, versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers...
AIOHTTP Leaks Cookie And Proxy-Authorization Headers On Cross-origin Redirect
Summary When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. Impact The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following...
SUSE CVE-2026-34518
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...
CVE-2026-34518
A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. When AIOHTTP follows redirects to a different origin, it incorrectly retains sensitive Cookie and Proxy-Authorization headers. This oversight could lead to information disclosure, where these headers...
GHSA-966J-VMVW-G2G9 AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
Summary When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. Impact The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure in the handling of cross-origin redirects, where Cookie and Proxy-Authorization headers are not properly removed. An attacker can obtain sensitive information by causing a user to follow a redirect to a malicious...
AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
Summary When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. Impact The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following...
CVE-2026-34518
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...
UBUNTU-CVE-2026-34518
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...
CVE-2026-34518 AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...
CVE-2026-34518 AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...
CVE-2026-34518
CVE-2026-34518 affects aiohttp prior to 3.13.4: during cross-origin redirects, the client/server framework drops the Authorization header but keeps Cookie and Proxy-Authorization headers. This could expose sensitive cookie-related data across origins. The issue is fixed in aiohttp 3.13.4.
CVE-2026-34518
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...
aiohttp 信息泄露漏洞
aiohttp is an open-source framework developed by aio-libs, used for asynchronous HTTP client/server interactions with asyncio and Python. Prior to version 3.13.4 of aiohttp, there was an information leakage vulnerability. This vulnerability occurred when aiohttp discarded the Authorization header...
Fedora 44 : libsoup3 (2026-55dabf3975)
The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-55dabf3975 advisory. Add patch for CVE-2026-1539 Also remove Proxy-Authorization header on cross origin redirect Tenable has extracted the preceding description block directly fr...
Fedora: Security Advisory (FEDORA-2026-f029d04054)
The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fedora 43 : libsoup3 (2026-f029d04054)
The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-f029d04054 advisory. Add patch for CVE-2026-1539 Also remove Proxy-Authorization header on cross origin redirect Tenable has extracted the preceding description block directly fr...
Fedora 45 : libsoup3 (2026-6fb683df94)
The remote Fedora 45 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-6fb683df94 advisory. Automatic update for libsoup3-3.6.6-6.fc45. Changelog Thu Mar 19 2026 Milan Crha - 3.6.6-6 - Add patch for CVE-2026-1539 Also remove Proxy-Authorization head...