Lucene search
K

121 matches found

OSV
OSV
added 2026/06/26 8:42 a.m.5 views

BIT-GRAFANA-2026-10601 Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access

The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: 1 capture admin-configured datasource credentials secureJsonData custom headers by traversing to an...

5.4CVSS5.8AI score0.00258EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/23 12:53 a.m.9 views

EUVD-2026-38411

Overview: A vulnerability has been found in FAST/TOOLS and CI Server. The web server may return a response containing the CI Server setting information. This information could be exploited by an attacker for other attacks. The affected products and versions are as follows: FAST/TOOLS Packages:...

8.2CVSS5.7AI score0.00217EPSS
Exploits0References1
OSV
OSV
added 2026/06/23 12:0 a.m.4 views

ALSA-2026:28157 Important: python3.14-urllib3 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

8.9CVSS6.2AI score0.0068EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2026/06/22 4:14 p.m.5 views

urllib3: urllib3: Denial of Service due to excessive HTTP response decompression

A flaw was found in urllib3, an HTTP client library for Python. This vulnerability allows a remote attacker to cause excessive resource consumption, such as high CPU usage and massive memory allocation, on the client side. This occurs when urllib3 attempts to decompress an entire HTTP response,...

8.9CVSS5.9AI score0.0068EPSS
Exploits0References5
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.5 views

Astra Linux – Vulnerability in Ruby 2.5

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allow HTTP response splitting. This is relevant for applications that use untrusted user input, either to generate an HTTP response or to create a CGI::Cookie object...

8.8CVSS6.8AI score0.02287EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/15 8:7 p.m.8 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via MultipartWriter.append or Payload.headers when attacker-controlled input is included in multipart or payload headers. An attacker can inject additional headers or alter the contents of a request by supplying...

7.5CVSS5.3AI score0.00301EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/11 2:59 a.m.14 views

CVE-2026-34417

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to...

6.1CVSS5.6AI score0.00168EPSS
Exploits0References1
OPENSUSE Linux
OPENSUSE Linux
added 2026/06/09 12:0 a.m.11 views

Security update for agama-web-ui (moderate)

openSUSE security update: security update for agama-web-ui ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20919-1 Rating: moderate References: bsc1246678 bsc1264160 bsc1264802 bsc1266256 Cross-References: CVE-2025-7339 CVE-2026-42041 CVE-2026-42264...

9.2CVSS6.3AI score0.00848EPSS
Exploits3References4
RedhatCVE
RedhatCVE
added 2026/06/08 4:34 p.m.10 views

CVE-2026-43973

A flaw was found in gun. A malicious server can exploit this uncontrolled resource consumption vulnerability by sending a partial HTTP/1.1 response that never completes. This causes the client's memory buffer to grow without bounds, leading to unbounded heap growth and potentially exhausting all...

8.7CVSS5.7AI score0.00381EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/25 2:0 p.m.35 views

CVE-2026-47069 CRLF injection in cookie domain/path options in hackney

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Response Splitting. The hackneycookie:setcookie/3 function in src/hackneycookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and...

2.1CVSS0.00374EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/05/22 12:0 a.m.10 views

CVE-2026-37470

An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components...

7.3CVSS6.2AI score0.00331EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.11 views

PT-2026-41970

Name of the Vulnerable Software and Affected Versions Algernon versions prior to 1.17.7 Description When Algernon is started with a single file path instead of a directory, the singleFileMode is enabled, which forcibly activates debugMode. This configuration enables the PrettyError renderer, whic...

7.5CVSS5.8AI score0.00303EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/14 4:8 p.m.13 views

CVE-2025-62316

HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under specific conditions...

2.3CVSS5.8AI score0.00106EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/05/08 8:49 p.m.12 views

HTTP Response Splitting

Overview eventsource-encoder is an Encodes events as well-formed EventSource/Server Sent Event SSE messages Affected versions of this package are vulnerable to HTTP Response Splitting via unsanitized event and id fields in the encoding process. An attacker can inject arbitrary Server-Sent Events...

6.9CVSS6AI score0.00277EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/05 10:17 p.m.13 views

Allocation of Resources Without Limits or Throttling

Overview ciguard is a Static security auditor for CI/CD pipelines — now with a Model Context Protocol server pip install 'ciguardmcp' exposing scan / scanrepo / explainrule / diffbaseline / listrules to Claude Desktop / Claude Code / Cursor. Plus .ciguardignore rationale-required suppression,...

6.3CVSS5.8AI score0.00301EPSS
Exploits0References2
OSV
OSV
added 2026/04/22 8:25 p.m.10 views

GHSA-C3H8-G69V-PJRG i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...

8.6CVSS5.9AI score0.00327EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/20 3:45 p.m.29 views

CVE-2026-24468 OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS0.00294EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/14 11:27 p.m.10 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the MailAddressParser.TryParseAddress function due to improper neutralisation of CRLF sequences. An attacker can impersonate another user or entity by sending specially crafted data over the network...

8.7CVSS6.2AI score0.02279EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:27 p.m.4 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the MailAddressParser.TryParseAddress function due to improper neutralisation of CRLF sequences. An attacker can impersonate another user or entity by sending specially crafted data over the network...

8.7CVSS6.2AI score0.02279EPSS
Exploits0References2
OSV
OSV
added 2026/04/08 7:22 p.m.2 views

GHSA-W8RR-5GCM-PP58 opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

overview: this report shows that the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled or a network attacker can mitm t...

5.3CVSS5.9AI score0.0019EPSS
Exploits0References5
Rows per page
Query Builder