Lucene search
K

361 matches found

Snyk
Snyk
added 2026/04/03 2:37 a.m.3 views

HTTP Response Splitting

Overview electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to HTTP Response Splitting via the protocol.handle, protocol.registerSchemesAsPrivileged, or webRequest.onHeadersReceived...

6.5CVSS6AI score0.00211EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.5 views

PT-2026-29997

Impact Apps that register custom protocol handlers via protocol.handle / protocol.registerSchemesAsPrivileged or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or...

5.9CVSS5.9AI score0.00211EPSS
Exploits0References4
NVD
NVD
added 2026/04/02 6:16 p.m.9 views

CVE-2026-34715

ewe is a Gleam web server. Prior to version 3.0.6, the encodeheaders function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF \r\n sequences. An application that passes user-controlled data into...

5.3CVSS0.00327EPSS
Exploits1References3
OSV
OSV
added 2026/04/01 9:49 p.m.2 views

GHSA-63HF-3VF5-4WQF AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

Summary The C parser the default for most installs accepted null bytes and control characters is response headers. Impact An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin may return a...

9.1CVSS5.9AI score0.00461EPSS
Exploits0References5
UbuntuCve
UbuntuCve
added 2026/04/01 9:17 p.m.7 views

CVE-2026-34520

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

9.1CVSS5.8AI score0.00461EPSS
Exploits0References4
NVD
NVD
added 2026/04/01 9:17 p.m.9 views

CVE-2026-34520

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

9.1CVSS0.00461EPSS
Exploits0References3
OSV
OSV
added 2026/04/01 9:17 p.m.4 views

DEBIAN-CVE-2026-34520

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

6.9CVSS5.3AI score0.00461EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/01 8:27 p.m.9 views

CVE-2026-34520 AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

6.9CVSS5.8AI score0.00461EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/01 8:27 p.m.3 views

CVE-2026-34520

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

6.9CVSS5.8AI score0.00461EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/01 8:27 p.m.22 views

CVE-2026-34520 AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

6.9CVSS0.00461EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/04/01 8:27 p.m.5 views

CVE-2026-34520

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

9.1CVSS5.3AI score0.00461EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/04/01 8:27 p.m.2 views

CVE-2026-34520

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

9.1CVSS5.4AI score0.00461EPSS
Exploits0
Veracode
Veracode
added 2026/03/23 3:20 p.m.11 views

Sensitive Information Exposure

Nginx UI is vulnerable to Sensitive Information Exposure. The vulnerability is due to missing authentication on the /api/backup endpoint and exposure of decryption keys in the response header, which allows an attacker to download and decrypt sensitive backup data...

9.8CVSS6.8AI score0.22162EPSS
Exploits13References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/20 4:8 p.m.7 views

CVE-2026-22732

A flaw was found in Spring Security. When applications using Spring Security specify HTTP response headers for servlet applications, these headers may not be written. This can lead to a bypass of security policies or information disclosure, potentially allowing an attacker to gain unauthorized...

9.1CVSS5.6AI score0.0048EPSS
Exploits2References4
EUVD
EUVD
added 2026/03/20 12:31 a.m.6 views

EUVD-2026-13347

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0...

9.1CVSS5.8AI score0.0048EPSS
Exploits2References2
NVD
NVD
added 2026/03/19 11:16 p.m.7 views

CVE-2026-22732

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy default writing of HTTP Headers: : from 5.7.0 through 5.7.21, from...

9.1CVSS0.0048EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2026/03/19 12:0 a.m.7 views

PT-2026-26435

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.7.0 through 5.7.21 Spring Security versions 5.8.0 through 5.8.23 Spring Security versions 6.3.0 through 6.3.14 Spring Security versions 6.4.0 through 6.4.14 Spring Security versions 6.5.0 through 6.5.8 Spring Securit...

9.4CVSS7.7AI score0.0048EPSS
Exploits2References66
Cvelist
Cvelist
added 2026/03/11 8:38 p.m.31 views

CVE-2026-32110 SiYuan has a Full-Read SSRF via /api/network/forwardProxy

SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and...

8.3CVSS0.00278EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/11 8:38 p.m.3 views

CVE-2026-32110

SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and...

8.3CVSS5.9AI score0.00278EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/02/26 9:30 a.m.7 views

EUVD-2026-8840

Some HTTP security headers are not properly set by the web server when sending responses to the client application...

2.3CVSS5.4AI score0.00143EPSS
Exploits0References2
Rows per page
Query Builder