Lucene search
+L

980 matches found

Nuclei
Nuclei
added 10 hours ago20 views

Zimbra - Cross-Site Scripting via ICS Files

Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event...

5.4CVSS6.5AI score0.04344EPSS
Exploits1References3
OSV
OSV
added 4 days ago4 views

CVE-2026-49855 tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an...

7.5CVSS6.1AI score0.00691EPSS
Exploits0References5
OSV
OSV
added 4 days ago4 views

CVE-2026-48736 Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.0 to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, NoPrivateNetworkHttpClient and IpUtils::PRIVATESUBNETS omitted IPv6 transition prefixes such as 6to4, NAT64, Teredo, and IPv4-compatible IPv6, allowi...

6.9CVSS6.1AI score0.0046EPSS
Exploits0References8
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-43637

In versions up to and including 4.5.29 4.x branch and 5.1.4 5.x branch, the WebClientSession component of Eclipse Vert.x Web Client does not validate that the Domain attribute of a Set-Cookie response header matches the originating server's domain, in violation of RFC 6265 section 5.3. An attacke...

8.2CVSS6.1AI score0.00157EPSS
Exploits0References1
CVE
CVE
added 4 days ago12 views

CVE-2026-15076

Vulnerability context: CVE-2026-15076 affects Eclipse Vert.x Web Client’s WebClientSession (versions up to 4.5.29 and 5.1.4). The issue is that the Domain attribute of a Set-Cookie header is not validated against the originating server’s domain. Root cause: WebClientSession stores cookies without...

8.2CVSS6.1AI score0.00157EPSS
Exploits0References1Affected Software1
OSV
OSV
added 4 days ago3 views

CVE-2026-15076

In versions up to and including 4.5.29 4.x branch and 5.1.4 5.x branch, the WebClientSession component of Eclipse Vert.x Web Client does not validate that the Domain attribute of a Set-Cookie response header matches the originating server's domain, in violation of RFC 6265 section 5.3. An attacke...

8.2CVSS6.1AI score0.00157EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 4 days ago5 views

CVE-2026-15076

In versions up to and including 4.5.29 4.x branch and 5.1.4 5.x branch, the WebClientSession component of Eclipse Vert.x Web Client does not validate that the Domain attribute of a Set-Cookie response header matches the originating server's domain, in violation of RFC 6265 section 5.3. An attacke...

8.2CVSS6.1AI score0.00157EPSS
Exploits0References2Affected Software1
Debian CVE
Debian CVE
added 2026/07/07 5:41 p.m.8 views

CVE-2026-7017

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, mayberedirect follows the Location: header and prepareheadersandcb re-merges the caller's headers argument into the new request, without checking whether...

7.1CVSS6AI score0.0026EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/25 11:8 p.m.9 views

CVE-2026-41715

A flaw was found in Reactor Netty HTTP client. In specific scenarios, a remote attacker could exploit this vulnerability when the HTTP client is explicitly configured to follow redirects from a secure endpoint to an insecure one. This could lead to the leakage of sensitive credentials. Mitigation...

6.5CVSS5.9AI score0.00172EPSS
Exploits0References4
OSV
OSV
added 2026/06/24 5:17 p.m.3 views

UBUNTU-CVE-2026-54297

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. From 1.0.0 until 1.10.6 and 2.14.3, Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nestin...

7.5CVSS5.9AI score0.00391EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-6733

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an...

3.7CVSS7AI score0.00228EPSS
Exploits0References4
CVE
CVE
added 2026/06/12 2:15 p.m.30 views

CVE-2026-47139

vm2 NodeVM burlon bypass vulnerability exists where public network modules are blocked but internal underscored HTTP builtins (_http_client, _http_server) remain reachable. The issue allows sandboxed code to perform outbound HTTP requests and open listening sockets despite network exclusions, ena...

8.6CVSS5.3AI score0.00282EPSS
Exploits0References3
OSV
OSV
added 2026/06/12 2:15 p.m.4 views

CVE-2026-47139 vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes...

8.6CVSS5.9AI score0.00282EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/10 2:59 a.m.13 views

CVE-2026-44746

Due to a reflected cross-site scripting XSS vulnerability in SAP NetWeaver JAVA JDBC Test Servlet, an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of...

6.1CVSS5.4AI score0.00199EPSS
Exploits0References1
CVE
CVE
added 2026/06/09 12:20 a.m.44 views

CVE-2026-44746

An XSS vulnerability (reflected) in SAP NetWeaver Java (JDBC Test Servlet) allows an unauthenticated attacker to craft a URL containing malicious script. If a victim clicks the link, the injected input is processed during web page generation, causing the attacker’s code to run in the victim’s bro...

6.1CVSS5.4AI score0.00199EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.24 views

PT-2026-47647

Name of the Vulnerable Software and Affected Versions Reactor Netty versions 1.0.0 through 1.0.51 Reactor Netty versions 1.1.0 through 1.1.35 Reactor Netty versions 1.2.0 through 1.2.17 Reactor Netty versions 1.3.0 through 1.3.5 Description The Reactor Netty HTTP client may leak credentials when...

6.1CVSS5.8AI score0.00172EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.17 views

req 安全漏洞

“req” is a simple Go HTTP client developed by a Roc individual using Black Magic. Versions of “req” from 0.1.0 to 0.6.1 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of highly compressed data, which could allow an attacker-controlled HTTP server to exhau...

8.2CVSS5.4AI score0.00438EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.11 views

Alf.io 安全漏洞

Alf.io is a free and open-source event attendance management system developed by Alf.io. Versions of Alf.io prior to 2.0-M5-2606 contained security vulnerabilities. These vulnerabilities stemmed from the HTTP Client’s postFileAndSaveResponse method, which allowed arbitrary file system paths witho...

4.9CVSS5.6AI score0.00317EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.11 views

Tesla 安全漏洞

Tesla is an HTTP client software open-sourced by Elixir Tesla. Versions of Tesla from 0.6.0 to 1.18.3 contained security vulnerabilities. These vulnerabilities stemmed from the lack of restrictions on the size of decompressed data when processing highly compressed data, which could lead to...

8.2CVSS5.4AI score0.00329EPSS
Exploits0References5
OSV
OSV
added 2026/05/27 3:33 p.m.3 views

GHSA-7HP7-4P35-3CX2 Gradio contains a cookie injection vulnerability

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a...

7.6CVSS5.9AI score0.0035EPSS
Exploits0References7
Rows per page
Query Builder