Lucene search
K

680 matches found

NVD
NVD
added 2026/05/25 3:16 p.m.27 views

CVE-2026-47070

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request...

6.1CVSS0.00348EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/05/25 2:0 p.m.39 views

CVE-2026-47070 HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request...

6CVSS0.00348EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/05/25 2:0 p.m.14 views

CVE-2026-47070

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request...

9.8CVSS6.8AI score0.08031EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/05/25 2:0 p.m.2 views

CVE-2026-47070 HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request...

6CVSS6AI score0.00348EPSS
Exploits1References9
OSV
OSV
added 2026/05/25 2:0 p.m.8 views

EEF-CVE-2026-47070 HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney

Summary Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney\h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/...

6CVSS6.1AI score0.00348EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/05/25 12:0 a.m.17 views

PT-2026-43067

Name of the Vulnerable Software and Affected Versions benoitc hackney versions 3.1.1 through 4.0.0 Description A sensitive data exposure issue exists where the HTTP/3 redirect handler in src/hackney h3.erl passes original request headers to a redirect target without performing cross-origin checks...

6.1CVSS5.8AI score0.00348EPSS
Exploits1References10
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.8 views

Astra Linux – Vulnerability in Flask

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client’s session...

7.5CVSS7.1AI score0.01261EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in Apache2

Apache HTTP Server versions 2.4.0 to 2.4.46: A specially crafted Cookie header handled by modsession can lead to a NULL pointer derefrence error and system crash, potentially causing a Denial Of Service attack...

7.5CVSS7AI score0.65067EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.2 views

Astra Linux – Vulnerability in Firefox and Thunderbird

Set-Cookie response headers were being honored incorrectly in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as part of the response body, they could inject Set-Cookie headers that would be honored by the browser. This vulnerability affects Firefo...

6.1CVSS6.6AI score0.00743EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in python-future

A vulnerability discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service by using a crafted Set-Cookie header from a malicious web server...

7.5CVSS6.7AI score0.01804EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.9 views

Astra Linux – Vulnerability in python-urllib3

urllib3 is a user-friendly HTTP client library for Python. urllib3 does not treat the Cookie HTTP header specially or provides any helpers for managing cookies over HTTP; that responsibility lies with the user. However, it is possible for a user to specify a Cookie header, and inadvertently leak...

8.1CVSS6.7AI score0.01207EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/18 4:42 p.m.20 views

async-http-client: Cookie header not stripped on cross-origin redirect

Summary async-http-client leaks Cookie headers to cross-origin redirect targets. When following a redirect across a security boundary different origin, or HTTPS→HTTP downgrade, the propagatedHeaders method in Redirect30xInterceptor.java strips Authorization and Proxy-Authorization headers but doe...

7.4CVSS5.8AI score0.00322EPSS
Exploits1References5Affected Software1
CVE
CVE
added 2026/05/15 4:27 p.m.29 views

CVE-2026-41181

CVE-2026-41181 affects Traefik before 2.11.44, 3.6.15, and 3.7.0-rc.3. The information disclosure stems from the errors middleware in which, when a response matches a configured status range, the middleware forwards the full request header set (including Authorization and Cookies) to the separate...

6.9CVSS5.8AI score0.00445EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/15 4:27 p.m.9 views

CVE-2026-41181 Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the...

6.9CVSS5.8AI score0.00445EPSS
Exploits1References4
OSV
OSV
added 2026/05/15 8:32 a.m.10 views

CLSA-2026-1778811697 wget: Fix of CVE-2021-31879

CVE-2021-31879: do not propagate Authorization/Cookie headers across HTTP 3xx redirects openSUSE patch...

6.1CVSS6.9AI score0.01104EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/15 12:0 a.m.22 views

Debian dla-4583 : idle-python3.9 - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4583 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4583-1 [email protected]...

7.5CVSS6.6AI score0.00621EPSS
Exploits0References14
Vulnrichment
Vulnrichment
added 2026/05/14 3:58 p.m.7 views

CVE-2026-44503 Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS5.8AI score0.00505EPSS
Exploits0References1
OSV
OSV
added 2026/05/14 3:58 p.m.3 views

CVE-2026-44503 Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS6AI score0.00505EPSS
Exploits0References3
OSV
OSV
added 2026/05/11 9:31 p.m.9 views

GHSA-G2WM-735Q-3F56 cowlib: Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cowcookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs...

3.2CVSS5.9AI score0.00145EPSS
Exploits0References5
CVE
CVE
added 2026/05/11 7:4 p.m.17 views

CVE-2026-42874

CVE-2026-42874 affects Microdot prior to version 2.6.1, where Response.set_cookie() does not sanitize string arguments and fails to detect the CRLF sequence, enabling HTTP header injection via cookie storage. Exploitation requires the attacker to first compromise a client (e.g., through a separat...

3.7CVSS5.8AI score0.00215EPSS
Exploits0References3
Rows per page
Query Builder