CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

28 matches found

undertow: Undertow: Request smuggling via inconsistent header parsing

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks,...

9.1CVSS5.4AI score0.0004EPSS

Exploits0References4

RedHat Linux•added 3 days ago•3 views

undertow: Undertow: Request smuggling via inconsistent header parsing

9.1CVSS5.4AI score0.0004EPSS

Exploits0References4

RedhatCVE•added 2026/04/03 8:16 p.m.•2 views

CVE-2026-32762

A flaw was found in Rack, a modular Ruby web server interface. This vulnerability arises from improper parsing of the RFC 7239 Forwarded header, where semicolons within quoted values are incorrectly interpreted as delimiters. An attacker can exploit this by crafting a malicious Forwarded header,...

6.5CVSS5.8AI score0.0005EPSS

Exploits0References4

OSV•added 2026/04/02 5:16 p.m.•0 views

DEBIAN-CVE-2026-26961

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...

5.3CVSS5.3AI score0.00015EPSS

Exploits0References1

EUVD•added 2026/03/27 6:31 p.m.•3 views

EUVD-2026-16696

8.7CVSS5.9AI score0.0004EPSS

Exploits0References3

NVD•added 2026/03/27 5:16 p.m.•1 views

CVE-2026-28368

9.1CVSS0.0004EPSS

Exploits0References4

Vulnrichment•added 2026/03/27 4:13 p.m.•4 views

CVE-2026-28368 Undertow: undertow: request smuggling via inconsistent header parsing

8.7CVSS5.9AI score0.0004EPSS

Exploits0References4

CVE•added 2026/03/27 4:13 p.m.•18 views

CVE-2026-28368

A vulnerability (CVE-2026-28368) affects Undertow and involves a discrepancy in header parsing between Undertow and upstream proxies, enabling HTTP request smuggling. Reported across multiple sources (NVD, Debian/Ubuntu OSV, Circl, GitHub advisories, and Nessus plugin) with confirmed references t...

9.1CVSS5.9AI score0.0004EPSS

Exploits0References4Affected Software10

Veracode•added 2026/03/26 12:26 p.m.•4 views

Protection Mechanism Failure

github.com/envoyproxy/envoy is vulnerable to Protection Mechanism Failure. The vulnerability is due to accepting and forwarding client data before a successful 2xx response in TCP proxy mode, which allows an attacker to cause desynchronization when upstream proxies reject the CONNECT request...

5.3CVSS5.9AI score0.00002EPSS

Exploits0References1Affected Software1

OSV•added 2025/12/05 6:12 p.m.•2 views

GHSA-RJ35-4M94-77JH Envoy forwards early CONNECT data in TCP proxy mode

Summary Forwarding of early CONNECT data in TCP proxy mode. Details Per RFC 7231-4.3.6 the sender of CONNECT and all inbound proxies switch to tunnel mode only after receiving 2xx response. However in TCP proxy mode, Envoy accepts client data before it has issued a 2xx response and eagerly proxie...

3.7CVSS6.5AI score0.00002EPSS

Exploits0References3

Tenable Nessus•added 2025/08/24 12:0 a.m.•4 views

Linux Distros Unpatched Vulnerability : CVE-2017-5660

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - There is a vulnerability in Apache Traffic Server ATS 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when...

8.6CVSS7.8AI score0.02584EPSS

Exploits0References2

Tenable Nessus•added 2025/03/05 12:0 a.m.•4 views

Linux Distros Unpatched Vulnerability : CVE-2022-24801

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in t...

8.1CVSS7.4AI score0.01107EPSS

Exploits0References2

SUSE CVE•added 2023/02/15 3:27 a.m.•3 views

SUSE CVE-2022-24801

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing...

6.5CVSS9.2AI score0.01107EPSS

Exploits0References5

Tenable Nessus•added 2022/04/30 12:0 a.m.•35 views

SUSE SLES15 Security Update : python-Twisted (SUSE-SU-2022:1477-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:1477-1 advisory. - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1....

8.1CVSS7.6AI score0.01107EPSS

Exploits0References4

Github Security Blog•added 2022/04/04 9:29 p.m.•28 views

Inconsistent Interpretation of HTTP Requests in twisted.web

The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230: 1. The Content-Length header value could have a + or - prefix. 2. Illegal characters were permitted in chunked extensions, such as the LF \n...

8.1CVSS8.3AI score0.01107EPSS

Exploits0References12Affected Software1

OSV•added 2022/04/04 9:29 p.m.•45 views

GHSA-C2JG-HW38-JRQQ Inconsistent Interpretation of HTTP Requests in twisted.web

9.2CVSS8.3AI score0.01107EPSS

Exploits0References12

NVD•added 2022/04/04 6:15 p.m.•21 views

CVE-2022-24801

8.1CVSS0.01107EPSS

Exploits0References7