Lucene search
K

126 matches found

IBM Security Bulletins
IBM Security Bulletins
added 2026/06/28 7:37 p.m.7 views

Security Bulletin: DataStage on Cloud Pak for Data has several vulnerabilities due to open source software

Summary Open source packages are used as part of the overall processing in DataStage on Cloud Pak for Data. Vulnerability Details CVEID:CVE-2026-2581 DESCRIPTION: This is an uncontrolled resource consumption vulnerability CWE-400 that can lead to Denial of Service DoS. In vulnerable Undici...

7.5CVSS5.6AI score0.00728EPSS
Exploits0Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/26 12:0 a.m.6 views

SUSE SLES15 Security Update : nodejs24 (SUSE-SU-2026:2633-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2633-1 advisory. This update for nodejs24 fixes the following issues Update to 24.17.0: - CVE-2026-2581: undici: Undici: Denial of Service due to...

9.8CVSS6.8AI score0.02445EPSS
Exploits3References64
Tenable Nessus
Tenable Nessus
added 2026/06/24 12:0 a.m.36 views

Node.js Module Undici 6.17.x < 6.27.0 / 7.x < 7.28.0 / 8.x < 8.5.0 DoS (CVE-2026-12151)

The nodejs module Undici detected on the host is version 6.17.x prior to 6.27.0, 7.x prior to 7.28.0, or 8.x prior to 8.5.0. It is, therefore, affected by a denial of service vulnerability: - The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a messag...

7.5CVSS7.1AI score0.00612EPSS
Exploits0References2
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/22 1:16 p.m.3 views

Security Bulletin: Vulnerability in Undici affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.

Summary Potential vulnerability in Undici has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information. Vulnerabilit...

9.8CVSS7.2AI score0.0115EPSS
Exploits0Affected Software2
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-11525

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the...

3.7CVSS7.1AI score0.00248EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.21 views

Linux Distros Unpatched Vulnerability : CVE-2026-9679

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into the...

5.9CVSS7.2AI score0.00257EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-9697

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI socks5:// or socks://. The target HTTPS connection...

7.4CVSS6.7AI score0.00431EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/19 2:34 p.m.9 views

EUVD-2026-37758

undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching...

3.7CVSS5.8AI score0.00248EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/06/19 2:21 p.m.6 views

NPM: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

NPM: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding vulnerability discovered by ? in WordPress Npm undici versions 6.27.0...

5.9CVSS5.8AI score0.00257EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/06/19 2:21 p.m.8 views

EUVD-2026-37764

undici vulnerable to HTTP header injection via Set-Cookie percent-decoding...

5.9CVSS5.8AI score0.00257EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/19 2:21 p.m.12 views

undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

Impact undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...

5.9CVSS6AI score0.00257EPSS
Exploits0References4Affected Software1
Patchstack
Patchstack
added 2026/06/19 2:20 p.m.7 views

NPM: undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse

NPM: undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse vulnerability discovered by ? in WordPress Npm undici versions = 7.23.0, 7.28.0...

8.8CVSS6.4AI score0.00315EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/06/19 2:19 p.m.7 views

GHSA-35P6-XMWP-9G52 undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse

Impact Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it...

3.7CVSS5.8AI score0.00228EPSS
Exploits0References5
SUSE CVE
SUSE CVE
added 2026/06/19 1:57 a.m.9 views

SUSE CVE-2026-11525

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example,...

3.7CVSS5.9AI score0.00248EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/06/18 2:28 p.m.6 views

NPM: undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent

NPM: undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent vulnerability discovered by ? in WordPress Npm undici versions = 7.23.0, 7.28.0...

7.4CVSS6.4AI score0.00431EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:28 p.m.9 views

undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent

Impact undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI socks5:// or socks://. The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername...

7.4CVSS5.9AI score0.00431EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/18 2:28 p.m.7 views

GHSA-PR7R-676H-XCF6 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass

Impact Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...

5.9CVSS5.3AI score0.00374EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/17 11:25 p.m.10 views

CVE-2026-6734

A flaw was found in undici. When using Socks5ProxyAgent, undici incorrectly reuses a single connection pool across different origins. This can lead to cross-origin request routing, where sensitive credentials and data intended for one destination are sent to another. Consequently, responses from...

8.8CVSS7AI score0.00315EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/17 11:14 p.m.7 views

CVE-2026-11525

A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie's SameSite policy to a less secure setting, potentially leading to unintend...

3.7CVSS4.9AI score0.00248EPSS
Exploits0References5
Snyk
Snyk
added 2026/06/17 6:21 p.m.6 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the HTTP/1.1 client when an attacker-controlled upstream server injects an unsolicited response onto an...

6.3CVSS5.9AI score0.00228EPSS
Exploits0References2
Rows per page
Query Builder