Lucene search
K

927 matches found

NVD
NVD
added yesterday3 views

CVE-2026-58213

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupti...

7.1CVSS
Exploits0References8
CVE
CVE
added 2 days ago12 views

CVE-2026-55427

Coder exposes SSH config injection risk via the config-ssh command: before 2.34.2, 2.33.8, 2.32.7, and 2.29.17, server-supplied values for HostnameSuffix and SSHConfigOptions could be written into ~/.ssh/config without rejecting newlines or restricting directives. This could enable a malicious or...

8.3CVSS6.1AI score0.0047EPSS
Exploits0References6Affected Software1
NVD
NVD
added 2026/06/25 7:16 p.m.8 views

CVE-2026-28898

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values :path, :authority, :scheme, :method, and :status at both the HPACK...

5.3CVSS0.00192EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 6:36 p.m.4 views

EUVD-2026-39533

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values :path, :authority, :scheme, :method, and :status at both the HPACK...

5.3CVSS5.8AI score0.00192EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 6:36 p.m.6 views

CVE-2026-28898

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values :path, :authority, :scheme, :method, and :status at both the HPACK...

5.3CVSS5.8AI score0.00192EPSS
Exploits0References2
CVE
CVE
added 2026/06/25 6:36 p.m.54 views

CVE-2026-28898

CVE-2026-28898 concerns swift-nio-http2, where the HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before translating to HTTP/1.1. The issue is addressed in swift-nio-http2 1.44.1, which adds validation for all pseudo-header values (:path, :authority, :scheme...

5.3CVSS5.8AI score0.00192EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/23 7:26 p.m.4 views

CVE-2026-54326

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi HTML exports render session Markdown into a static HTML file. It did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme could bypass th...

2.5CVSS5.8AI score0.00132EPSS
Exploits0References4Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/23 12:0 a.m.4 views

Oracle Linux 9 : openssh (ELSA-2026-19219)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-19219 advisory. - CVE-2026-3497: Fix information disclosure or denial of service due to uninitialized variables in gssapi-keyex Resolves: RHEL-155825 - CVE-2025-61984...

8.2CVSS6.7AI score0.0218EPSS
Exploits2References6
ATTACKERKB
ATTACKERKB
added 2026/06/22 11:28 a.m.3 views

CVE-2026-11373

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol...

8.2CVSS5.8AI score0.00352EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/22 11:28 a.m.8 views

EUVD-2026-38224

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol...

9.1CVSS5.8AI score0.00352EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.18 views

PT-2026-51292

Name of the Vulnerable Software and Affected Versions Net::Statsite::Client versions prior to 1.1.1 Description Net::Statsite::Client, a client for the statsite protocol a variant of statsd, allows metric injections. This occurs because newlines are not removed from metric names, and values are n...

9.1CVSS5.9AI score0.00352EPSS
Exploits0References12
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.3 views

Astra Linux – Vulnerability in Subversion

Insufficient validation of filenames against control characters in Apache Subversion repositories served via moddavsvn allows authenticated users with commit access to commit a corrupted revision, resulting in disruptions for users of the repository. All versions of Subversion, including Subversi...

4.3CVSS5.4AI score0.01943EPSS
Exploits1References2
RedHat Linux
RedHat Linux
added 2026/06/17 4:18 p.m.8 views

netty-codec-http: Netty: Data manipulation via request-boundary confusion in HttpObjectDecoder

A flaw was found in Netty. The HttpObjectDecoder component, which processes incoming HTTP requests, incorrectly skips certain control characters and whitespace before reading the first request line. This behavior, which goes beyond standard HTTP protocol requirements, can lead to request-boundary...

5.3CVSS5.3AI score0.00232EPSS
Exploits0References7
Veracode
Veracode
added 2026/06/16 6:38 p.m.8 views

HTTP Request Smuggling

Netty is vulnerable to HTTP Request Smuggling. The vulnerability is due to HttpObjectDecoder improperly ignoring non-CRLF control characters before the request line, which allows an attacker to create request-boundary confusion between front-end and back-end components and potentially smuggle...

5.3CVSS5.2AI score0.00232EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/15 8:46 p.m.6 views

GHSA-HVCG-QMG6-JM4C Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted

Summary Before reading the first request-line, HttpObjectDecoder skips every byte for which Character.isISOControlb is true 0x00–0x1F and 0x7F as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance...

5.3CVSS5.4AI score0.00232EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/15 8:46 p.m.10 views

EUVD-2026-36468

Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted...

5.3CVSS5.3AI score0.00232EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/15 8:46 p.m.8 views

Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted

Summary Before reading the first request-line, HttpObjectDecoder skips every byte for which Character.isISOControlb is true 0x00–0x1F and 0x7F as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance...

5.3CVSS5.3AI score0.00232EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/15 8:36 a.m.14 views

CVE-2026-50020

A flaw was found in Netty. The HttpObjectDecoder component, which processes incoming HTTP requests, incorrectly skips certain control characters and whitespace before reading the first request line. This behavior, which goes beyond standard HTTP protocol requirements, can lead to request-boundary...

5.3CVSS4.9AI score0.00232EPSS
Exploits0References6
NVD
NVD
added 2026/06/13 3:16 a.m.18 views

CVE-2026-54231

A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A...

5.5CVSS0.00116EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 2:55 p.m.28 views

CVE-2026-50020 Netty's HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, HttpObjectDecoder skips every byte for which Character.isISOControlb is true 0x00–0x1F and 0x7F as well as all...

5.3CVSS0.00232EPSS
Exploits0References3
Rows per page
Query Builder