59 matches found
CVE-2026-6907
A flaw was found in Django. The django.middleware.cache.UpdateCacheMiddleware component incorrectly caches web requests when the Vary header contains an asterisk ''. This error can lead to sensitive private data being stored in the cache and subsequently served to unauthorized users, resulting in...
BIT-DJANGO-2026-6907 Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ''. This can lead to private data being stored and served. Earlier, unsupported Django series such as 5.0.x,...
SUSE CVE-2026-6907
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ''. This can lead to private data being stored and served. Earlier, unsupported Django series such as 5.0.x,...
EUVD-2026-27382
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ''. This can lead to private data being stored and served. Earlier, unsupported Django series such as 5.0.x,...
PYSEC-2026-55
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ''. This can lead to private data being stored and served.Earlier, unsupported Django series such as 5.0.x, 4.1.x...
CVE-2026-6907 Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ''. This can lead to private data being stored and served. Earlier, unsupported Django series such as 5.0.x,...
CVE-2026-6907 Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ''. This can lead to private data being stored and served. Earlier, unsupported Django series such as 5.0.x,...
CVE-2026-6907
The CVE affects Django 6.0 before 6.0.5 and 5.2 before 5.2.14. The vulnerability lies in django.middleware.cache.UpdateCacheMiddleware, which may cache requests when the Vary header contains an asterisk (*) and thereby expose private data. This could cause private data to be stored and subsequent...
CVE-2026-6907
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ''. This can lead to private data being stored and served. Earlier, unsupported Django series such as 5.0.x,...
CVE-2026-6907
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ''. This can lead to private data being stored and served. Earlier, unsupported Django series such as 5.0.x,...
PT-2026-37078
Name of the Vulnerable Software and Affected Versions Django versions 6.0 through 6.0.4 Django versions 5.2 through 5.2.13 Description An issue in django.middleware.cache.UpdateCacheMiddleware causes requests where the Vary header contains an asterisk '' to be erroneously cached. This behavior ca...
SUSE CVE-2026-29776
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in updatereadcachebitmaporder Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0...
UBUNTU-CVE-2026-29776
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, Integer Underflow in updatereadcachebitmaporder Function of FreeRDP's Core Library This vulnerability is fixed in 3.24.0...
GO-2026-4588 `melange update-cache` has unbounded HTTP download that can exhaust disk in CI in chainguard.dev/melange
melange update-cache has unbounded HTTP download that can exhaust disk in CI in chainguard.dev/melange...
CVE-2026-29049
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cau...
SUSE CVE-2026-29049
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cau...
CVE-2026-29049
CVE-2026-29049 (melange) affects melange
CVE-2026-29049 melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cau...
CVE-2026-29049
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cau...
CVE-2026-29049 melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI
melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cau...