Lucene search
+L

1818 matches found

CVE
CVE
added yesterday10 views

CVE-2026-50197

Summary: CVE-2026-50197 affects zalando/skipper’s OpenPolicyAgent integration. When clients use HTTP/1.1 Transfer-Encoding: chunked or HTTP/2 without Content-Length, the opaAuthorizeRequestWithBody flow exposes an empty raw_body and parsed input.parsed_body to OPA, causing policy checks that rely...

7.8CVSS5.3AI score
Exploits0References4
Cvelist
Cvelist
added yesterday12 views

CVE-2026-50197 Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding: chunked / HTTP/2 requests

Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the...

7.8CVSS
Exploits0References4
Nuclei
Nuclei
added yesterday32 views

Apache2 - Transfer-Encoding Chunked XSS

Apache2 PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 contain a reflected cross-site scripting vulnerability caused by mishandling of chunked transfer-encoding requests in sapi/apache2handler/sapiapache2.c. Attackers can execute malicious scripts via crafted...

6.1CVSS6.5AI score0.04103EPSS
Exploits1References5
NVD
NVD
added 2 days ago7 views

CVE-2026-44982

CrowdSec offers crowdsourced protection against malicious IPs. From 1.5.0 until 1.7.8, pkg/appsec/request.go NewParsedRequestFromRequest allocated a request body buffer from maxr.ContentLength, 0, so HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests without a content-length...

7.2CVSS0.00217EPSS
Exploits0References5
Cvelist
Cvelist
added 2 days ago33 views

CVE-2026-44982 CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests

CrowdSec offers crowdsourced protection against malicious IPs. From 1.5.0 until 1.7.8, pkg/appsec/request.go NewParsedRequestFromRequest allocated a request body buffer from maxr.ContentLength, 0, so HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests without a content-length...

7.2CVSS0.00217EPSS
Exploits0References5
CVE
CVE
added 2 days ago32 views

CVE-2026-44982

CVE-2026-44982 affects CrowdSec AppSec. The bug in pkg/appsec/request.go NewParsedRequestFromRequest reads the body using max(r.ContentLength, 0), causing HTTP/1.1 chunked and HTTP/2 without Content-Length to appear with an empty body, bypassing body-inspection rules (REQUEST_BODY, BODY_ARGS, ARG...

7.2CVSS6.1AI score0.00217EPSS
Exploits0References5
OSV
OSV
added 2 days ago5 views

EEF-CVE-2026-59249 Sign-tolerant HTTP/1 chunk-size parser in Mint enables response smuggling against strict intermediaries on pooled connections

Summary Inconsistent interpretation of HTTP requests HTTP response smuggling vulnerability in elixir-mint mint allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests...

6.3CVSS6.1AI score0.00301EPSS
Exploits0References4
CVE
CVE
added 2 days ago9 views

CVE-2026-59249

The CVE concerns the Elixir Mint library (mint) and its HTTP/1.1 decoding path. Specifically, Mint.HTTP1.decode_body/5 parses chunk-size lines using Integer.parse(data, 16), which accepts a leading + or - despite RFC 7230 requiring unsigned hex digits. This leads to a mismatch with RFC-strict int...

6.3CVSS6.1AI score0.00301EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago30 views

CVE-2026-59249 Sign-tolerant HTTP/1 chunk-size parser in Mint enables response smuggling against strict intermediaries on pooled connections

Inconsistent interpretation of HTTP requests HTTP response smuggling vulnerability in elixir-mint mint allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that shar...

6.3CVSS0.00301EPSS
Exploits0References4
OSV
OSV
added 4 days ago4 views

CVE-2026-58229 Unbounded HTTP/1 response-header and chunked-trailer accumulation in Mint causes memory-exhaustion DoS

Allocation of resources without limits vulnerability in elixir-mint mint allows a remote HTTP server to exhaust memory on the client host and cause a denial of service. The Mint.HTTP1.decodeheaders/5 and Mint.HTTP1.decodetrailerheaders/4 functions in lib/mint/http1.ex accumulate every parsed...

8.2CVSS6.2AI score0.00305EPSS
Exploits0References9
OSV
OSV
added 2026/07/08 8:23 p.m.3 views

GHSA-659F-RGP5-W4WF Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests

Summary zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the...

10CVSS6.2AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/08 8:23 p.m.7 views

Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests

Summary zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the...

7.8CVSS6.1AI score
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/07/08 8:23 p.m.5 views

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the ExtractHttpBodyOptionally helper in filters/openpolicyagent/openpolicyagent.go. An attacker can bypass opaAuthorizeRequestWithBody policy checks by sending a chunked HTTP/1.1 request or an HTTP/2 request...

10CVSS6.1AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.7 views

PT-2026-56679

Name of the Vulnerable Software and Affected Versions zalando/skipper versions prior to 0.26.10 Description The OpenPolicyAgent integration in zalando/skipper contains a flaw that allows request-body inspection to be bypassed. This occurs during HTTP/1.1 requests using Transfer-Encoding: chunked...

7.8CVSS5.3AI score
Exploits0References7
NVD
NVD
added 2026/07/06 11:16 a.m.10 views

CVE-2026-56810

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint Mint.HTTP1 module allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines...

8.7CVSS0.00344EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/06 9:17 a.m.31 views

CVE-2026-56810 mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint Mint.HTTP1 module allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines...

8.7CVSS0.00344EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:17 a.m.6 views

CVE-2026-56810

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint Mint.HTTP1 module allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines...

8.7CVSS6AI score0.00344EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/07/06 9:17 a.m.5 views

EUVD-2026-41862

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint Mint.HTTP1 module allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines...

8.7CVSS6AI score0.00344EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/07/06 9:17 a.m.5 views

CVE-2026-56810 mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint Mint.HTTP1 module allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines...

8.7CVSS6AI score0.00344EPSS
Exploits0References4
CVE
CVE
added 2026/07/06 9:17 a.m.18 views

CVE-2026-56810

CVE-2026-56810 affects mint: a memory-denial vulnerability in Mint.HTTP1.decode_body/5 where chunked HTTP response bodies are buffered in an unbounded data_buffer until the entire declared chunk length completes. The chunk size is parsed with no upper bound, enabling a remote attacker to send an ...

8.7CVSS6AI score0.00344EPSS
Exploits0References4
Rows per page
Query Builder