Lucene search
K

970 matches found

CNNVD
CNNVD
added 2026/05/11 12:0 a.m.13 views

Flowise 代码问题漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise prior to 3.1.0 contained code vulnerabilities. These vulnerabilities stemmed from the direct import and invocation of the original HTTP client by multiple tools, without using...

9.8CVSS5.9AI score0.00396EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/05/08 8:48 p.m.12 views

OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured

Summary The OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANAENDPOINTPROXY environment variable. If a network attacker can Man-in-the-Middle MitM the...

6.5CVSS5.8AI score0.00207EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/08 11:49 a.m.23 views

BIT-PYTHON-2025-13836 Excessive read buffering DoS in http.client

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS...

7.5CVSS6.7AI score0.01525EPSS
Exploits0References10
Github Security Blog
Github Security Blog
added 2026/05/05 10:17 p.m.7 views

ciguard: SCA HTTP client reads response body without size cap

Summary Both SCA HTTP clients src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py call payload = json.loadsresp.read.decode'utf-8' without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev or a successful TLS MITM could return a multi-GB response,...

3.7CVSS5.9AI score0.00301EPSS
Exploits0References5Affected Software1
GithubExploit
GithubExploit
added 2026/04/29 4:20 a.m.99 views

Web-Client-Side-Vulnerabilities-Practical-Exploitation-and-Mitigation

No d...

5.3AI score
Exploits0
OSV
OSV
added 2026/04/27 6:33 p.m.11 views

JLSEC-2026-268 Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of...

Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'noproxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash...

5.9CVSS6.8AI score0.02016EPSS
Exploits0References9
OSV
OSV
added 2026/04/24 6:16 p.m.8 views

UBUNTU-CVE-2026-42036

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This...

5.3CVSS5.8AI score0.00421EPSS
Exploits1References3
OSV
OSV
added 2026/04/24 6:16 p.m.7 views

UBUNTU-CVE-2026-42034

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

5.3CVSS5.8AI score0.00327EPSS
Exploits1References3
OSV
OSV
added 2026/04/24 6:16 p.m.8 views

UBUNTU-CVE-2026-42037

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker w...

5.3CVSS5.9AI score0.0024EPSS
Exploits1References3
Debian CVE
Debian CVE
added 2026/04/24 5:40 p.m.7 views

CVE-2026-42040

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...

3.7CVSS5.3AI score0.00217EPSS
Exploits1
CVE
CVE
added 2026/04/22 7:7 a.m.23 views

CVE-2026-40542

Apache HttpClient 5.6 is affected by a missing step in SCRAM-SHA-256 mutual authentication, allowing a client to accept authentication without proper mutual verification. The issue impacts the 5.6 release and is fixed by upgrading to version 5.6.1. Affected component: Apache HttpClient (Java), v5...

7.3CVSS5.7AI score0.00456EPSS
Exploits0References5Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/13 3:25 p.m.7 views

Malicious code in @ascend-ops/web-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57ec262f68b9b9bd081ce675c1eb28e56c6c630c03cf1ecb680e5b56035f0aaa The package @ascend-ops/web-client was found to contain malicious code. Source: ghsa-malware...

5.7AI score
Exploits0References1
Snyk
Snyk
added 2026/04/13 3:25 p.m.14 views

Malicious Package

Overview @ascend-ops/web-client is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
OSV
OSV
added 2026/04/13 3:25 p.m.7 views

MAL-2026-2575 Malicious code in @ascend-ops/web-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57ec262f68b9b9bd081ce675c1eb28e56c6c630c03cf1ecb680e5b56035f0aaa The package @ascend-ops/web-client was found to contain malicious code. Source: ghsa-malware...

5.7AI score
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/04/08 6:17 p.m.13 views

undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers

A flaw was found in undici, a Node.js HTTP/1.1 client. A remote attacker could exploit this vulnerability by sending HTTP/1.1 requests that include duplicate Content-Length headers with different casing e.g., "Content-Length" and "content-length". This can lead to HTTP Request Smuggling, a...

9.8CVSS5.9AI score0.00493EPSS
Exploits0References9
NVD
NVD
added 2026/04/02 7:21 p.m.19 views

CVE-2026-5418

A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The...

7.5CVSS0.00303EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/02 6:30 p.m.1 views

CVE-2026-5418

A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The...

7.5CVSS6.6AI score0.00303EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/04/02 6:30 p.m.18 views

CVE-2026-5418

The CVE affects appsmith.org Appsmith Dashboard up to version 1.97, specifically the computeDisallowedHosts function in WebClientUtils.java. The issue enables server-side request forgery (SSRF) and may be exploitable remotely; an exploit is publicly available. Mitigation provided in the sources i...

7.5CVSS6.6AI score0.00303EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/03/31 4:59 a.m.4 views

CVE-2026-33373

An issue was discovered in Zimbra Collaboration ZCS 10.0 and 10.1. A Cross-Site Request Forgery CSRF vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after...

8.8CVSS5.9AI score0.00202EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/30 3:32 p.m.4 views

EUVD-2026-17106

An issue was discovered in Zimbra Collaboration ZCS 10.0 and 10.1. A Cross-Site Request Forgery CSRF vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after...

5.9AI score0.00202EPSS
Exploits0References5
Rows per page
Query Builder