61 matches found
CVE-2026-40994
Summary: CVE-2026-40994 affects Spring Web Services where Wss4jSecurityInterceptor initializes its BSP flag to disable BSP enforcement on inbound data, weakening protocol-level WS-Security checks. Affected versions: Spring Web Services 5.0.0–5.0.1; 4.1.0–4.1.3; 4.0.0–4.0.18; 3.1.0–3.1.8. Impact (...
Linux Distros Unpatched Vulnerability : CVE-2026-42764
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation...
CVE-2026-41714
Spring AMQP 2.4.x/3.1.x/3.2.x/4.0.x (versions 2.4.0–2.4.17, 3.1.0–3.1.15, 3.2.0–3.2.10, 4.0.0–4.0.3) are affected by CVE-2026-41714. The issue occurs when a broker connection is configured via RabbitConnectionFactoryBean.setUri("amqps://...") without calling setUseSSL(true). This leads to TLS enc...
CVE-2026-42764
Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial ...
CVE-2026-42764
Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial ...
CVE-2026-42764 NULL Pointer Dereference in QUIC Server Initial Packet Handling
Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial ...
CVE-2026-32992
SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials...
CVE-2026-40946
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience aud claim validation at the library level. This allows tokens issued for unrelate...
CVE-2026-50208
High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle MITM actor could decrypt network traffic...
CVE-2026-45574
The CVE affects the epa4all-client Java library (for epa4all / ePA 3.0). Before version 1.2.2, a network-path attacker could present any TLS certificate (self-signed/expired/wrong CN) and intercept SOAP traffic, exposing KVNRs, SMC-B authentication/signing, document content, and credential exchan...
Malicious code in bricks-builder-mcp (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7ad643457c1104b8f118971a9ee95702f2126a16f33a4ec9dfd8ed21c43fc1eb bricks-builder-mcp is a Model Context Protocol server exposing WordPress/Bricks Builder editing tools page JSON edits, media uploads, custom CSS/JS...
epa4all-client: TLS Certificate Validation Disabled in Production
Impact An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate self-signed, expired, wrong CN and intercept all SOAP traffic. This includes patient identifiers KVNR, SMC-B card operations authentication, signing, document content, and credential...
SUSE CVE-2026-42578
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...
CVE-2026-44312
CVE-2026-44312 affects the Ruby CSS Parser gem. Prior to 2.1.0 and 1.22.0, the library does not validate HTTPS connections (OpenSSL::SSL::VERIFY_NONE), allowing a MITM attacker to inject/modify CSS content when loading stylesheets over HTTPS. The issue is fixed in 2.1.0 and 1.22.0. Remediation: u...
CVE-2026-42578
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...
UBUNTU-CVE-2026-42578
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...
CVE-2026-42578
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...
CVE-2026-42578 Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...
CVE-2026-42578
Netty CVE-2026-42578 affects HttpProxyHandler prior to 4.2.13.Final and 4.1.133.Final. The issue arises because HttpProxyHandler builds CONNECT requests with header validation disabled (newInitialMessage uses DefaultHttpHeadersFactory.headersFactory().withValidation(false) and then appends user-p...
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735)
Security Vulnerability Report: HTTP Header Injection via HttpProxyHandler Disabled Validation in Netty 1. Vulnerability Summary | Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final and all prior versions | | Component | io.netty.handler.proxy.HttpProxyHandler | |...