CVE-2026-9697

undici’s ProxyAgent drops the requestTls option when used with a SOCKS5 proxy (socks5:// or socks://), causing the HTTPS connection to rely on Node’s default trust store and ignore user-provided ca, cert, key, rejectUnauthorized, and servername. This allows any cert signed by a publicly trusted C...

CVE-2025-71261 Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS

An attacker with network-level access between the SUSE Virtualization and Rancher Manager in SUSE Harvester before 1.8.0 could interfere with the TLS handshake and abuse it to bypass TLS as a security control...

Important: ruby4.0

Issue Overview: Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAPstarttls to return "successfully", without starting TLS. This issue has been patched in...

Amazon Linux 2023 : ruby3.4, ruby3.4-bundled-gems, ruby3.4-default-gems (ALAS2023-2026-1807)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1807 advisory. zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader...

CVE-2026-46579

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client- headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client- headers. As a resul...

EUVD-2026-33274

A flaw was found in the OpenShift Router. When a Route has insecureEdgeTerminationPolicy set to Allow, the HTTP frontend does not remove X-SSL-Client- headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted X-SSL-Client- headers. As a resul...

SUSE CVE-2024-37082

When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS authentication to Cloud Foundry applications. You are affected if you have route-services enabled in routing-release and have...

CVE-2026-4873

CVE-2026-4873 is a TLS-reuse issue observed in curl-related advisories. The vulnerability arises when a TLS-requiring connection reuses an existing unencrypted connection from the same pool: if the initial transfer is unencrypted (e.g., via IMAP, SMTP, or POP3), a subsequent request to the same h...

Unity Linux 20.1060e / 20.1070e Security Update: curl (UTSA-2026-017559)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017559 advisory. A user can tell curl = 7.20.0 and = 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server --ssl-reqd on the command line...

EUVD-2026-28924

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAPstarttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10,...

PT-2026-37183

Name of the Vulnerable Software and Affected Versions Net::IMAP versions prior to 0.3.10 Net::IMAP versions prior to 0.4.24 Net::IMAP versions prior to 0.5.14 Net::IMAP versions prior to 0.6.4 Description A man-in-the-middle attacker can cause the starttls function to return successfully without...

Astra Linux – Vulnerability in curl

A user can specify that curl = 7.20.0 and = 7.78.0 requires a successful upgrade to TLS when communicating with IMAP, POP3, or FTP servers. This is achieved by using the --ssl-reqd option on the command line, or setting CURLOPT USESSL to CURLUSESSLCONTROL or CURLUSESSLALL with licurl. This...

CLSA-2026-1772465492 podman: Fix of 4 CVEs

rebuild with newer golang version 1.25.7-1.el96.tuxcare.els1 to fix the following CVEs - CVE-2025-68121: fix TLS session resumption bypass by preventing shared auto-rotated ticket keys in Config and validating full certificate chain expiry - CVE-2025-61726: limit parsed URL query parameters to...

CVE-2026-41330

OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables to circumvent proxy settings, TLS verification,...

Updated python-openssl packages fix security vulnerabilities

pyOpenSSL allows TLS connection bypass via unhandled callback exception in settlsextservernamecallback. CVE-2026-27448 pyOpenSSL DTLS cookie callback buffer overflow. CVE-2026-27459...

GO-2026-4793 Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config in github.com/traefik/traefik

Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config in github.com/traefik/traefik...

CVE-2026-32305

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. A remote attacker can exploit this vulnerability by sending fragmented ClientHello packets during the Transport Layer Security TLS handshake. This causes Traefik's Server Name Indication SNI extraction to fail, leading to a...

Insecure Default Initialization of Resource

Overview github.com/traefik/traefik/v2/pkg/server/router/tcp is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, ... a...

CVE-2026-32305

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records,...

CVE-2026-32305 Traefik mTLS bypass via fragmented ClientHello SNI extraction failure

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records,...