goshs 安全漏洞

Goshs is a simple HTTP server developed by Patrick Hener using Go language. Versions of Goshs 2.0.0-beta.4 to 2.0.0-beta.5 contain security vulnerabilities. These vulnerabilities arise from broadcasting raw request headers via collaborative WebSocket connections when global basic authentication i...

SUSE CVE-2026-31430

In the Linux kernel, the following vulnerability has been resolved: X.509: Fix out-of-bounds access when parsing extensions Leo reports an out-of-bounds access when parsing a certificate with empty Basic Constraints or Key Usage extension because the first byte of the extension is read before...

CVE-2026-35587

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery SSRF vulnerability exists in the Glances IP plugin due to improper validation of the publicapi configuration parameter. The value of publicapi is used directly in outbound HTTP...

CVE-2026-40490

A flaw was found in AsyncHttpClient. When redirect following is enabled, the library improperly forwards Authorization and Proxy-Authorization headers, including Realm credentials, to arbitrary redirect targets regardless of domain, scheme, or port changes. An attacker who controls a redirect...

CVE-2026-31430 X.509: Fix out-of-bounds access when parsing extensions

In the Linux kernel, the following vulnerability has been resolved: X.509: Fix out-of-bounds access when parsing extensions Leo reports an out-of-bounds access when parsing a certificate with empty Basic Constraints or Key Usage extension because the first byte of the extension is read before...

CVE-2026-31430

CVE-2026-31430 affects the Linux kernel: X.509 extensions parsing could read the first byte of an extension before checking length, causing out-of-bounds access. The vulnerability can be triggered by an unprivileged user submitting a crafted certificate via the keyrings(7) API. A PoC exists. The ...

CVE-2026-31430

In the Linux kernel, the following vulnerability has been resolved: X.509: Fix out-of-bounds access when parsing extensions Leo reports an out-of-bounds access when parsing a certificate with empty Basic Constraints or Key Usage extension because the first byte of the extension is read before...

PT-2026-33747

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An out-of-bounds access occurs when parsing X.509 certificates containing empty Basic Constraints or Key Usage extensions. This happens because the first byte of the extension is read...

EUVD-2026-23684

A security vulnerability has been detected in H3C Magic B0 up to 100R002. This vulnerability affects the function EditBasicSSID of the file /goform/aspForm. Such manipulation of the argument param leads to buffer overflow. The attack can be executed remotely. The exploit has been disclosed public...

@activeboxes/piece-sftp (=0.2.6), @activepieces/piece-apify (=0.2.1) +26 more potentially affected by CVE-2026-41324 via basic-ftp (>=5.0.2 <=5.2.2)

basic-ftp NPM version =5.0.2, =0.2.6, =1.0.0, =1.0.0, =2.0.18, =1.9.2, =1.2.0, =4.6.0-blowfish, =1.0.3, =1.0.4, =1.0.5 - @neurarank/node-sftp =0.4.3 and more Source cves: CVE-2026-41324 Source advisory: SNYK:JS-BASICFTP-16094986...

GHSA-RP42-5VXX-QPWR basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()

Summary [email protected] is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list, causing the client process to...

Allocation of Resources Without Limits or Throttling

Overview basic-ftp is a FTP client for Node.js, supports FTPS over TLS, IPv6, Async/Await, and Typescript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the StringWriter method. An attacker can cause excessive memory consumption and...

Malicious code in express-auth-basic (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e643f12d60a16d07664d45cf59400356a38f8bb5463f358e1e86e217b88fab5 The package express-auth-basic was found to contain malicious code...

[SECURITY] Fedora 43 Update: python-flask-httpauth-4.8.1-1.fc43

FlaskHTTPAuth Basic and Digest HTTP authentication for Flask routes...

PT-2026-33341

Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability, leading to unauthorized access...

Malicious code in simple-auth-basic (npm)

simple-auth-basic is a malicious npm package that when imported downloads a C2 dropper from https://coingecko-liard.vercel.app and executes it. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c8802844b712eedf88f3862f4e836efd3a767ee4944f6ec3b8c3fbe849fd741b The...

MAL-2026-2905 Malicious code in simple-auth-basic (npm)

simple-auth-basic is a malicious npm package that when imported downloads a C2 dropper from https://coingecko-liard.vercel.app and executes it. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c8802844b712eedf88f3862f4e836efd3a767ee4944f6ec3b8c3fbe849fd741b The...

goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access

Summary goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including...

GHSA-7H3J-592V-JCRP goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access

Summary goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including...

goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation

Summary goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or...