Lucene search
+L

944 matches found

euvd
euvd
added last week20 views

EUVD-2026-34067

morgan vulnerable to Log Forging via unneutralized control characters in :remote-user...

5.3CVSS6.1AI score0.00246EPSS
Exploits0References3
nvd
nvd
added 2026/07/08 8:16 p.m.6 views

CVE-2026-58213

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupti...

7.1CVSS0.00441EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/07/08 12:0 a.m.12 views

PT-2026-56561

Name of the Vulnerable Software and Affected Versions NATS Server versions prior to 2.14.1 NATS Server versions prior to 2.12.9 Description An MQTT client can include protocol control characters in subscription filters. These characters are subsequently forwarded as NATS protocol data to route or...

7.1CVSS6.1AI score0.00441EPSS
Exploits0References14
cve
cve
added 2026/07/07 11:55 p.m.16 views

CVE-2026-55427

Coder exposes SSH config injection risk via the config-ssh command: before 2.34.2, 2.33.8, 2.32.7, and 2.29.17, server-supplied values for HostnameSuffix and SSHConfigOptions could be written into ~/.ssh/config without rejecting newlines or restricting directives. This could enable a malicious or...

8.3CVSS6.1AI score0.00466EPSS
Exploits0References6Affected Software1
nvd
nvd
added 2026/06/25 7:16 p.m.11 views

CVE-2026-28898

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values :path, :authority, :scheme, :method, and :status at both the HPACK...

5.3CVSS0.00192EPSS
Exploits0References1
cve
cve
added 2026/06/25 6:36 p.m.59 views

CVE-2026-28898

CVE-2026-28898 concerns swift-nio-http2, where the HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before translating to HTTP/1.1. The issue is addressed in swift-nio-http2 1.44.1, which adds validation for all pseudo-header values (:path, :authority, :scheme...

5.3CVSS5.8AI score0.00192EPSS
Exploits0References1Affected Software1
euvd
euvd
added 2026/06/25 6:36 p.m.8 views

EUVD-2026-39533

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values :path, :authority, :scheme, :method, and :status at both the HPACK...

5.3CVSS5.8AI score0.00192EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/06/25 6:36 p.m.7 views

CVE-2026-28898

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values :path, :authority, :scheme, :method, and :status at both the HPACK...

5.3CVSS5.8AI score0.00192EPSS
Exploits0References2
astralinux
astralinux
added 2026/06/24 3:11 p.m.9 views

Astra Linux – Vulnerability in Python 3.11

The poplib module, when a user-controlled command is passed to it, can have additional commands injected using newlines. Mitigation rejects commands that contain control characters...

5.9CVSS6.8AI score0.00315EPSS
Exploits0References3
astralinux
astralinux
added 2026/06/24 3:11 p.m.8 views

Astra Linux – Vulnerability in Python 3.11

The imaplib module, when a user-controlled command is passed to it, can have additional commands injected using newlines. Mitigation rejects commands that contain control characters...

5.9CVSS6.8AI score0.0036EPSS
Exploits0References3
attackerkb
attackerkb
added 2026/06/23 7:26 p.m.4 views

CVE-2026-54326

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass th...

2.5CVSS5.8AI score0.00132EPSS
Exploits0References4Affected Software1
osv
osv
added 2026/06/23 7:26 p.m.4 views

CVE-2026-54326 Pi: Potential XSS in HTML session exports via Markdown URL sanitization bypass

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass th...

2.5CVSS5.9AI score0.00132EPSS
Exploits0References5
nessus
nessus
added 2026/06/23 12:0 a.m.4 views

Oracle Linux 9 : openssh (ELSA-2026-19219)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-19219 advisory. - CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex Resolves: RHEL-155825 - CVE-2025-61984...

8.2CVSS6.7AI score0.0218EPSS
Exploits2References6
osv
osv
added 2026/06/22 9:30 p.m.2 views

CVE-2026-44889 WebOb: Location header normalization during redirect leads to open redirect

WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit stri...

6.1CVSS5.9AI score0.00161EPSS
Exploits0References3
attackerkb
attackerkb
added 2026/06/22 11:28 a.m.4 views

CVE-2026-11373

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol...

8.2CVSS5.8AI score0.00352EPSS
Exploits0References7
euvd
euvd
added 2026/06/22 11:28 a.m.11 views

EUVD-2026-38224

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol...

9.1CVSS5.8AI score0.00352EPSS
Exploits0References6
osv
osv
added 2026/06/22 11:28 a.m.4 views

CVE-2026-11373 Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol...

9.1CVSS5.9AI score0.00352EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/06/22 12:0 a.m.21 views

PT-2026-51292

Name of the Vulnerable Software and Affected Versions Net::Statsite::Client versions prior to 1.1.1 Description Net::Statsite::Client, a client for the statsite protocol a variant of statsd, allows metric injections. This occurs because newlines are not removed from metric names, and values are n...

9.1CVSS5.9AI score0.00352EPSS
Exploits0References12
redhat
redhat
added 2026/06/17 4:18 p.m.11 views

netty-codec-http: Netty: Data manipulation via request-boundary confusion in HttpObjectDecoder

A flaw was found in Netty. The HttpObjectDecoder component, which processes incoming HTTP requests, incorrectly skips certain control characters and whitespace before reading the first request line. This behavior, which goes beyond standard HTTP protocol requirements, can lead to request-boundary...

5.3CVSS5.3AI score0.00232EPSS
Exploits0References7
veracode
veracode
added 2026/06/16 6:38 p.m.11 views

HTTP Request Smuggling

Netty is vulnerable to HTTP Request Smuggling. The vulnerability is due to HttpObjectDecoder improperly ignoring non-CRLF control characters before the request line, which allows an attacker to create request-boundary confusion between front-end and back-end components and potentially smuggle...

5.3CVSS5.2AI score0.00232EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder