CVE-2026-43966

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cowhttpstructhd:escapestring/2 in cowlib only escapes \ and ", passing all other byt...

Net::Statsd::Lite 安全漏洞

Net::Statsd::Lite is a lightweight StatsD client developed by Robert Rothenberg, which supports multiple metric data packets. Versions of Net::Statsd::Lite prior to 0.13 contained security vulnerabilities. These vulnerabilities stemmed from the lack of checks for line breaks, colons, or pipes in...

Etsy::StatsD 安全漏洞

Etsy::StatsD is an open-source application performance monitoring and metric collection component developed by statsd. Etsy::StatsD versions 1.002002 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the lack of checks for line breaks, colons, or pipes in metric...

Text::LineFold 安全漏洞

Text::LineFold is a Perl text processing module developed by NEZUMI’s individual developers. Versions of Text::LineFold starting from 2019.001 and earlier contained security vulnerabilities. These vulnerabilities were caused by repeated output based on the number of special line breaks, which cou...

Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address

Description Symfony\Component\Mime\Address is the value-object every Symfony Mailer address to/cc/bcc/from/reply-to flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email...

BentoML 代码注入漏洞

BentoML is an open-source model service library developed by BentoML. It is used to build high-performance and scalable artificial intelligence applications using Python. Prior to BentoML 1.4.39, there was a code injection vulnerability. This vulnerability stemmed from the envs.name value...

PT-2026-44136

Description SymfonyComponentMimeAddress is the value-object every Symfony Mailer address to/cc/bcc/from/reply-to flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email...

CVE-2026-9277

shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore passed...

Net::Statsd::Lite 注入漏洞

Net::Statsd::Lite is a lightweight StatsD client developed by Robert Rothenberg, which supports multiple metric data packets. Versions of Net::Statsd::Lite prior to 0.10.0 have a vulnerability due to the setadd method not checking for line breaks, colons, or pipes, which may lead to metric...

Net::Statsd::Lite 注入漏洞

Net::Statsd::Lite is a lightweight StatsD client developed by Robert Rothenberg, which supports multiple metric data packets. Versions of Net::Statsd::Lite prior to 0.9.0 have a injection vulnerability. This vulnerability arises from the lack of checks for line breaks, colons, or vertical bars in...

Unplug your way to better code

Welcome to this week's edition of the Threat Source newsletter. Hey, you. Yeah, you! The person endlessly scrolling or typing away at their computer. Did you touch grass today? It's just an expression, but if nature's your thing, that works just fine. What I do mean is that due to the nature of t...

Gotenberg 参数注入漏洞

Gotenberg is an open-source, developer-friendly API developed by Gotenberg. It is used to convert various document formats into PDF files. Versions of Gotenberg 8.30.1 and earlier contained a parameter injection vulnerability. This vulnerability stemmed from the fact that the metadata writing...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerabilities have been resolved: cifs: fixed potential OOPs in cifsoplockbreak With deferred close, there may be situations where closes occur simultaneously with lease breaks. Additionally, when checking whether to send the lease response, oplockresponse can...

CLSA-2026-1776953969 vim: Fix of CVE-2022-2889

CVE-2022-2889: fix use-after-free with multiple line breaks in Vim9 expression by deferring the free of evalarg-evaltofree...

Radare2 操作系统命令注入漏洞

Radare2 is an open-source reverse framework for Unix-based geeks, developed by Radare. Versions of Radare2 prior to 6.1.4 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the printgvars function in the PDB parser, which allowed command...

WordPress plugin HTTP Headers 注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

PT-2026-31952

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0 Description Vikunja, a self-hosted task management platform, has an issue where the CalDAV output generator doesn't properly escape characters in iCalendar VTODO entries. Specifically, user-controlled task title...

FTL 注入漏洞

FTL is an open-source network advertising interception and statistics tool developed by Pi-hole. Versions of FTL from 6.0 to 6.6 had a injection vulnerability. This vulnerability stemmed from configuration parameters of upstream DNS servers, allowing authenticated attackers to inject arbitrary...

FTL 注入漏洞

FTL is an open-source network advertising interception and statistics tool developed by Pi-hole. Versions of FTL from 6.0 to 6.6 had a injection vulnerability. This vulnerability stemmed from the DNS CNAME record configuration parameters, allowing authenticated attackers to inject arbitrary dnsma...

FTL 注入漏洞

FTL is an open-source network advertising interception and statistics tool developed by Pi-hole. Versions of FTL from 6.0 to 6.6 had a injection vulnerability. This vulnerability stemmed from configuration parameters in DNS host records, allowing authenticated attackers to inject arbitrary dnsmas...