CVE-2026-43969

A flaw was found in cowlib, a library used for handling HTTP cookies. An attacker can exploit this vulnerability by injecting special characters, such as carriage return CR and line feed LF, into cookie names or values due to improper input validation. This allows for HTTP request splitting,...

Improper Access Control

Hono is vulnerable to Improper Access Control. The vulnerability is due to inconsistent cookie parsing between browsers and the parse function, where differently formatted cookie names may be normalized to the same key, allowing attacker-controlled cookies to override legitimate ones and bypass...

HTTP Response Splitting

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the setCookie function. An attacker can cause runtime errors and potentially disrupt application behavior by supplying specially crafted input as the cookie...

GHSA-26PP-8WGV-HJVM Hono missing validation of cookie name on write path in setCookie()

Summary Cookie names are not validated on the write path when using setCookie, serialize, or serializeSigned to generate Set-Cookie headers. While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters. This results in inconsistent...

BIT-PYTHON-2026-0672 Header injection in http.cookies.Morsel

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

BIT-LIBPYTHON-2026-0672 Header injection in http.cookies.Morsel

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

EUVD-2026-3521

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

DEBIAN-CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

AZL-75026 CVE-2026-0672 affecting package python3 for versions less than 3.12.9-8

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

UBUNTU-CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

PSF-2026-5

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...

EUVD-2023-0828

Malicious code in bioql PyPI...

$_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities

...

Linux Distros Unpatched Vulnerability : CVE-2020-7070

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are...

BIT-RUBY-2021-41819

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby...

UBUNTU-CVE-2023-28117

Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitiv...

Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`

Impact When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their...