Lucene search
+L

70 matches found

Cvelist
Cvelist
added 2026/05/25 2:0 p.m.45 views

CVE-2026-47072 CRLF injection in WebSocket upgrade request in hackney

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackneyws.erl copies the host, path, headers ExtraHeaders, and protocols options from the caller-supplied opts map into the interna...

6.9CVSS0.00506EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/05/25 2:0 p.m.12 views

CVE-2026-47072 CRLF injection in WebSocket upgrade request in hackney

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackneyws.erl copies the host, path, headers ExtraHeaders, and protocols options from the caller-supplied opts map into the interna...

6.9CVSS6AI score0.00506EPSS
Exploits1References4
OSV
OSV
added 2026/05/25 2:0 p.m.10 views

EEF-CVE-2026-47072 CRLF injection in WebSocket upgrade request in hackney

Summary Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney\ws.erl copies the host, path, headers ExtraHeaders, and protocols options from the caller-supplied opts map into th...

6.9CVSS6.2AI score0.00506EPSS
Exploits1References4
OSV
OSV
added 2026/05/25 2:0 p.m.4 views

CVE-2026-47072 CRLF injection in WebSocket upgrade request in hackney

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackneyws.erl copies the host, path, headers ExtraHeaders, and protocols options from the caller-supplied opts map into the interna...

6.9CVSS6.1AI score0.00506EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2026/05/25 12:0 a.m.24 views

PT-2026-43069

Name of the Vulnerable Software and Affected Versions hackney versions 2.0.0 through 4.0.0 Description Improper Neutralization of CRLF Sequences, also known as CRLF Injection, allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney ws.erl copies the host, path, headers...

7.5CVSS6AI score0.00506EPSS
Exploits1References8
CNNVD
CNNVD
added 2026/05/25 12:0 a.m.14 views

Hackney 安全漏洞

Hackney is a program library from Hackney, Inc. A security vulnerability exists in hackney versions prior to 2.0.0 through 4.0.1, which stems from a failure to strip CRLF sequences in WebSocket upgrade code, which could lead to HTTP request/response splitting...

7.5CVSS5.8AI score0.00506EPSS
Exploits1References5
GithubExploit
GithubExploit
added 2026/05/16 10:15 a.m.234 views

Exploit for Server-Side Request Forgery in Vercel Next.Js

CVE-2026-44578 — Next.js WebSocket Upgrade SSRF Pre-authentic...

8.6CVSS5.8AI score0.38872EPSS
Exploits9
Veracode
Veracode
added 2026/05/16 5:29 a.m.6 views

Origin Validation Error

Dozzle is vulnerable to Origin Validation Error. The vulnerability is due to improper origin validation in the WebSocket upgrader, where connections from any origin are accepted and authenticated with the victim's JWT cookie, allowing attackers to hijack authenticated sessions and gain unauthoriz...

9.6CVSS5.8AI score0.00195EPSS
Exploits1References3Affected Software1
GithubExploit
GithubExploit
added 2026/05/15 9:2 a.m.177 views

Exploit for Server-Side Request Forgery in Vercel Next.Js

CVE-2026-44578 - Next.js WebSocket SSRF PoC Vulnerability:...

8.6CVSS5.8AI score0.38872EPSS
Exploits9
GithubExploit
GithubExploit
added 2026/05/15 5:2 a.m.223 views

Exploit for Server-Side Request Forgery in Vercel Next.Js

╔═══════════════════════════════════════════════════════════...

8.6CVSS5.9AI score0.38872EPSS
Exploits9
NVD
NVD
added 2026/05/13 6:16 p.m.20 views

CVE-2026-44578

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the serve...

8.6CVSS0.38872EPSS
Exploits9References7
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.17 views

Next.js 代码问题漏洞

Next.js is a React framework open source by Vercel. Versions of Next.js from 13.4.13 to 15.5.16, as well as versions before 16.2.5, have code vulnerabilities. These vulnerabilities stem from the use of the built-in Node.js server for hosting. When a custom WebSocket upgrade request is made, it ma...

8.6CVSS5.9AI score0.38872EPSS
Exploits9References1
CVE
CVE
added 2026/05/12 9:46 p.m.45 views

CVE-2026-42544

CVE-2026-42544 (Granian) affects Granian versions 1.2.0–2.7.4, where an unauthenticated client sending a WebSocket upgrade request with a non-ASCII Sec-WebSocket-Protocol header causes the server to abort the worker in the WebSocket scope construction path, yielding an unauthenticated DoS. The cr...

7.5CVSS5.8AI score0.00324EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.11 views

granian 输入验证错误漏洞

Granian is a high-performance Python HTTP server developed by Emmett under open source principles, using Rust as the programming language. Versions 1.2.0 to 2.7.4 of Granian contain a vulnerability related to input validation. This vulnerability arises when an unvalidated client sends a WebSocket...

7.5CVSS5.8AI score0.00324EPSS
Exploits0References2
OSV
OSV
added 2026/05/11 3:55 p.m.20 views

GHSA-C4J6-FC7J-M34R Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades

Impact Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or...

8.6CVSS5.9AI score0.38872EPSS
Exploits9References5
OSV
OSV
added 2026/05/07 2:34 a.m.15 views

GHSA-V8J7-HP7C-738F Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users

Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...

6.5CVSS5.8AI score0.0017EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/06 9:20 p.m.25 views

Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic

Summary Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This is a single-request...

7.5CVSS5.9AI score0.00324EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/17 10:32 p.m.8 views

GHSA-XMXX-7P24-H892 OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation

Summary Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart. Impact A bearer token that should have been revoked by SecretRe...

9.2CVSS5.7AI score0.0054EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/04/17 10:32 p.m.19 views

OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation

Summary Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart. Impact A bearer token that should have been revoked by SecretRe...

9.8CVSS5.7AI score0.0054EPSS
Exploits1References6Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/03/16 12:0 a.m.6 views

EulerOS 2.0 SP11 : libwebsockets (EulerOS-SA-2026-1585)

According to the versions of the libwebsockets package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Use After Free vulnerability exists in the WebSocket server implementation in lwshandshakeserver in warmcat libwebsockets. In specific...

7.5CVSS6AI score0.00374EPSS
Exploits0References3
Rows per page
Query Builder