CVE-2026-42578

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage method creates headers using...

EUVD-2025-209758

In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP...

CVE-2026-33453 Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet Pre-Auth Remote Code Execution

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to...

CVE-2026-39971

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipityisResponseClean is not...

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via improper validation of HTTP client proxy tunnel headers or host fields. An attacker can inject arbitrary HTTP headers. Remediation A fix was pushed into the master branch but not yet published. References - GitHub...

PT-2026-29880

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings vi...

CVE-2026-2442

The CVE-2026-2442 entry affects the Page Builder: Pagelayer WordPress plugin, with all versions up to and including 2.0.7. Root cause: Improper Neutralization of CRLF Sequences in the contact form handler, where attacker-controlled form fields undergo placeholder substitution and are then passed ...

CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...

CVE-2025-59151 Pi-hole Admin Interface vulnerable to HTTP response header injection via CRLF injection

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed CRLF injection. When a request is made to a file ending with the .lp extension, t...

EUVD-2015-2167

Malware in sbrugna...

EUVD-2020-19499

Malware in sbrugna...

EUVD-2020-0233

Malware in sbrugna...

EUVD-2008-2492

Malware in sbrugna...

EUVD-2025-25816

Malicious code in bioql PyPI...

CVE-2005-4749

HTTP request smuggling vulnerability in BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 and earlier, and 6.1 SP7 and earlier allows remote attackers to inject arbitrary HTTP headers via unspecified attack vectors...

ROS-20241112-04

Vulnerability of http requests of CurlAsyncHTTPClient component of Tornado asynchronous network library is related to improper neutralization of CRLF sequences. Exploitation of the vulnerability could allow an attacker acting remotely to inject arbitrary headers into a request or cause an...

CRLF Injection

tornado is vulnerable to CRLF Injection. The vulnerability is due to improper CR/LF checks allowing for the inclusion of attacker-controlled header values in requests, which allows arbitrary headers or requests to be sent to a specified server...

Rocky Linux 8 : grafana (RLSA-2021:4226)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:4226 advisory. - The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call...

Protect

An improper neutralization of CRLF sequences in HTTP headers 'HTTP Response Splitting' vulnerability CWE-113 in FortiOS and FortiProxy may allow an authenticated and remote attacker to inject arbitrary headers...

golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity...