Lucene search
K

447 matches found

Tenable Nessus
Tenable Nessus
added 6 days ago6 views

SUSE SLES15 Security Update : nodejs24 (SUSE-SU-2026:2633-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2633-1 advisory. This update for nodejs24 fixes the following issues Update to 24.17.0: - CVE-2026-2581: undici: Undici: Denial of Service due to...

9.8CVSS6.7AI score0.02445EPSS
Exploits3References64
OSV
OSV
added last week2 views

SUSE-SU-2026:2633-1 Security update for nodejs24

This update for nodejs24 fixes the following issues Update to 24.17.0: - CVE-2026-2581: undici: Undici: Denial of Service due to uncontrolled resource consumption bsc1268480. - CVE-2026-6733: undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response...

9.8CVSS6AI score0.02445EPSS
Exploits3References43
NVD
NVD
added 2026/06/25 9:16 a.m.6 views

CVE-2026-53224

In the Linux kernel, the following vulnerability has been resolved: sctp: validate embedded INIT chunk and address list lengths in cookie sctpunpackcookie only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large...

9.1CVSS0.00547EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/25 8:39 a.m.4 views

EUVD-2026-39315

In the Linux kernel, the following vulnerability has been resolved: sctp: validate embedded INIT chunk and address list lengths in cookie sctpunpackcookie only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large...

5.7AI score0.00547EPSS
Exploits0References3
OSV
OSV
added 2026/06/24 2:0 p.m.2 views

UBUNTU-CVE-2026-8924

A flaw in curl's cookie parsing logic allows a malicious HTTP server to set "super cookies" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains...

5.9AI score
Exploits0References3
OSV
OSV
added 2026/06/24 8:0 a.m.5 views

CURL-CVE-2026-8924 trailing dot domain super cookie

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set "super cookies" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...

5.9AI score
Exploits0
NVD
NVD
added 2026/06/22 6:16 p.m.13 views

CVE-2026-54287

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attribute...

5.3CVSS0.00186EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 5:13 p.m.4 views

CVE-2026-54287

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attribute...

5.3CVSS5.9AI score0.00186EPSS
Exploits0References2Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.21 views

Linux Distros Unpatched Vulnerability : CVE-2026-9679

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into the...

5.9CVSS7.2AI score0.00257EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/19 2:21 p.m.8 views

EUVD-2026-37764

undici vulnerable to HTTP header injection via Set-Cookie percent-decoding...

5.9CVSS5.8AI score0.00257EPSS
Exploits0References3
OSV
OSV
added 2026/06/19 2:21 p.m.6 views

GHSA-P88M-4JFJ-68FV undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

Impact undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...

5.9CVSS6AI score0.00257EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/19 2:21 p.m.12 views

undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

Impact undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...

5.9CVSS6AI score0.00257EPSS
Exploits0References4Affected Software1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.6 views

Astra Linux – Vulnerability in Jetty9

Jetty is a Java-based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or perform unintended behaviors by tampering with the cookie parsing mechanism. If Jetty encounters a cookie value that starts with a double quot...

5.3CVSS6.5AI score0.013EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.7 views

Astra Linux – Vulnerability in Python-Werkzeug

Werkzeug is a comprehensive WSGI web application library. Browsers may allow “nameless” cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on a neighboring subdomain to exploit this to set a cookie like =Host-test=bad for another subdomain...

3.5CVSS6.2AI score0.00507EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.5 views

Astra Linux – Vulnerability in Ruby 2.5

In the CGI gem before version 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service DoS vulnerability. This method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumpti...

7.5CVSS6.6AI score0.00784EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/17 11:9 p.m.7 views

CVE-2026-9679

A flaw was found in undici. The cookie parser in the parseSetCookie function incorrectly decodes cookie values, which is contrary to standard specifications. This vulnerability allows an attacker-controlled upstream to inject arbitrary HTTP response headers, such as Set-Cookie, Location, or...

5.9CVSS5AI score0.00257EPSS
Exploits0References5
Snyk
Snyk
added 2026/06/17 6:22 p.m.8 views

Permissive List of Allowed Inputs

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Permissive List of Allowed Inputs via permissive substring matching in the Set-Cookie attribute parsing. An attacker can weaken cookie SameSite enforcement by crafting a...

8.3CVSS5.9AI score0.00248EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 6:22 p.m.7 views

Permissive List of Allowed Inputs

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Permissive List of Allowed Inputs via permissive substring matching in the Set-Cookie attribute parsing. An attacker can weaken cookie SameSite enforcemen...

8.3CVSS5.9AI score0.00248EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 6:21 p.m.7 views

CRLF Injection

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to CRLF Injection in the parseSetCookie. An attacker can inject arbitrary HTTP headers by supplying specially crafted percent-encoded values in the Set-Cookie header, which...

9.2CVSS6AI score0.00257EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 6:21 p.m.7 views

CRLF Injection

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to CRLF Injection in the parseSetCookie. An attacker can inject arbitrary HTTP headers by supplying specially crafted percent-encoded values in the Set-Cooki...

9.2CVSS6AI score0.00257EPSS
Exploits0References2
Rows per page
Query Builder