Lucene search
K

537 matches found

GitLab Advisory Database
GitLab Advisory Database
added 2026/04/22 12:0 a.m.10 views

actix-http has HTTP/1.1 CL.TE Request Smuggling

A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length...

5.8AI score
Exploits0References4Affected Software1
Packet Storm News
Packet Storm News
added 2026/04/22 12:0 a.m.5 views

HTTP Chunked Encoding Behavior Analyzer

This script is a security analysis tool designed to test how a web server such as Kestrel-based applications handles HTTP requests using chunked transfer encoding...

5.8AI score
Exploits0
Packet Storm
Packet Storm
added 2026/04/21 12:0 a.m.137 views

📄 ASP.net 8.0.10 Core Kestrel HTTP Request Smuggling

This Metasploit auxiliary module targets a critical HTTP request smuggling vulnerability in ASP.NET Core Kestrel caused by improper parsing of malformed chunked transfer encoding notably LF-only line handling and case-variant headers like chUnKEd...

9.9CVSS5.8AI score0.66258EPSS
Exploits5
Github Security Blog
Github Security Blog
added 2026/04/14 11:40 p.m.11 views

Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Description as reported Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Background This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques: -...

9.1CVSS5.9AI score0.01127EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/04/14 11:40 p.m.8 views

GHSA-355H-QMC2-WPWF Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Description as reported Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Background This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques: -...

7.4CVSS5.9AI score0.01127EPSS
Exploits1References5
NVD
NVD
added 2026/04/14 12:16 p.m.8 views

CVE-2026-2332

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: https://w4ke.info/2025/06/18/funky-chunks.html https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing...

9.1CVSS0.01127EPSS
Exploits1References12
OSV
OSV
added 2026/04/14 12:16 p.m.4 views

UBUNTU-CVE-2026-2332

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: https://w4ke.info/2025/06/18/funky-chunks.html https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing...

9.1CVSS5.8AI score0.01127EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/14 12:12 p.m.5 views

HTTP Request Smuggling

Overview org.eclipse.jetty:jetty-http is an is a http module for jetty server. Affected versions of this package are vulnerable to HTTP Request Smuggling in the HTTP/1.1 parser HttpParser.java. An attacker can inject additional HTTP requests with chunked transfer encoding with improperly terminat...

9.1CVSS5.7AI score0.01127EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.5 views

PT-2026-32618

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 12.1.0 through 12.1.6 Eclipse Jetty versions 12.0.0 through 12.0.32 Eclipse Jetty versions 11.0.0 through 11.0.27 Eclipse Jetty versions 10.0.0 through 10.0.27 Eclipse Jetty versions 9.4.0 through 9.4.59 Description The...

9.1CVSS5.7AI score0.01127EPSS
Exploits1References62
Tenable Nessus
Tenable Nessus
added 2026/04/12 12:0 a.m.5 views

Fedora 43 : trafficserver (2026-7b719a7a58)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-7b719a7a58 advisory. Resolves: CVE-2025-58136 - A simple legitimate POST request causes a crash CVE-2025-65114 - Malformed chunked message body allows request smuggling...

7.5CVSS6.1AI score0.00673EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 2026/04/07 11:17 a.m.5 views

CVE-2026-31842

Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The ischunkedtransfer function uses strcmp to compare the header value against "chunked", even though RFC 7230 specifies that...

8.7CVSS5.4AI score0.00899EPSS
Exploits1References3
SUSE CVE
SUSE CVE
added 2026/03/30 11:27 p.m.7 views

SUSE CVE-2026-33870

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fi...

7.5CVSS5.8AI score0.0064EPSS
Exploits1References4
EUVD
EUVD
added 2026/03/30 9:31 a.m.4 views

EUVD-2026-17066

An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service DoS. The issue occurs because chunk size values are parsed using strtol without properly validating...

8.7CVSS6AI score0.00598EPSS
Exploits0References6
UbuntuCve
UbuntuCve
added 2026/03/30 8:16 a.m.4 views

CVE-2026-3945

An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service DoS. The issue occurs because chunk size values are parsed using strtol without properly validating...

8.7CVSS6AI score0.00598EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/03/30 7:5 a.m.25 views

CVE-2026-3945

An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service DoS. The issue occurs because chunk size values are parsed using strtol without properly validating...

8.7CVSS0.00598EPSS
Exploits0References5
CVE
CVE
added 2026/03/30 7:5 a.m.29 views

CVE-2026-3945

Tinyproxy (up to 1.11.3) contains an integer overflow in the HTTP chunked transfer encoding parser. Chunk sizes are parsed with strtol() without proper overflow validation, allowing a crafted size (e.g., LONG_MAX) to bypass checks and overflow arithmetic (chunklen + 2). This can cause the proxy t...

8.7CVSS6AI score0.00598EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/30 12:0 a.m.13 views

Tinyproxy 安全漏洞

Tinyproxy is a small, efficient HTTP/SSL proxy daemon developed by Tinyproxy. Versions of Tinyproxy 1.11.3 and earlier contain security vulnerabilities, which stem from integer overflows in the HTTP chunked transmission encoding parser, potentially leading to denial-of-service attacks...

8.7CVSS5.8AI score0.00598EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/03/27 11:27 p.m.3 views

CVE-2026-33870

A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass...

7.5CVSS5.8AI score0.0064EPSS
Exploits1References7
OSV
OSV
added 2026/03/27 8:16 p.m.2 views

DEBIAN-CVE-2026-33870

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fi...

7.5CVSS8.2AI score0.0064EPSS
Exploits1References1
UbuntuCve
UbuntuCve
added 2026/03/27 8:16 p.m.3 views

CVE-2026-33870

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fi...

7.5CVSS5.8AI score0.0064EPSS
Exploits1References5
Rows per page
Query Builder