CVE-2026-48856 httpc leaks Authorization header to cross-origin redirect targets

Sensitive Data Exposure vulnerability in Erlang OTP inets httpcresponse module allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary...

Medium: perl-libwww-perl

Issue Overview: LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorizatio...

Insertion of Sensitive Information Into Sent Data

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain sensitive proxy credentials by controlling a redirect...

EEF-CVE-2026-48595 Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects

Summary Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison...

Origin Validation Error

Overview org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client AHC classes. Affected versions of this package are vulnerable to Origin Validation Error in the Redirect30xInterceptor class. An attacker in control of a cross-origin redirect target via a different exploit...

CVE-2026-1524

CVE-2026-1524 describes an edge case in Neo4j Enterprise Edition’s SSO (OIDC) integration. Before version 2026.02 (and 5.26.22), if an admin configured two or more OIDC providers with at least one as authorization and one as authentication-only, those authentication-only providers could implicitl...

Security update for libsoup

This update for libsoup fixes the following issues: CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests bsc1257398. CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects bsc1257441...

EulerOS 2.0 SP13 : python-pip (EulerOS-SA-2025-2510)

According to the versions of the python-pip packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected...

PT-2024-22741 · Unknown · Streampark

Name of the Vulnerable Software and Affected Versions: Streampark versions prior to 2.1.4 Description: The issue allows a user to obtain sensitive information, including usernames, passwords, and salt values of other users, after a successful login. This is due to the Backend service returning...

AZL-26985 CVE-2023-32681 affecting package python-requests for versions less than 2.27.1-6

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuildproxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent...

USN-4323-1 firefox vulnerabilities

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code. CVE-2020-6821, CVE-2020-6822, CVE-2020-6824,...