168 matches found
CVE-2026-55767
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::valida...
CVE-2026-55767 Guzzle: Dot-Only Cookie Domains Match All Hosts in guzzlehttp/guzzle
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::valida...
CVE-2026-55767
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::valida...
CVE-2026-54279
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. This vulnerability is fixed in 3.14.1...
CVE-2026-54279 AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. This vulnerability is fixed in 3.14.1...
CVE-2026-54279
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. This vulnerability is fixed in 3.14.1...
Linux Distros Unpatched Vulnerability : CVE-2026-54279
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save and then...
guzzlehttp/guzzle: Dot-Only Cookie Domains Match All Hosts
Impact CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the...
GHSA-CWXW-98QJ-8QJX guzzlehttp/guzzle: Dot-Only Cookie Domains Match All Hosts
Impact CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the...
Dot-only cookie domains match all hosts
Impact CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the...
curl: libcurl: HTTP/1.x bare LF byte in response header value enables cookie jar pollution and POST body/credential exfiltration via redirect — RC=0, curl 8
Summary curl's HTTP/1.x response header parser splits header lines using a single memchrbuf, '\n', blen call lib/http.c:4457, with no awareness of whether the current position is inside a quoted-string value. A server response containing any header field whose value embeds a raw LF byte \x0a caus...
SUSE CVE-2026-34993
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect man...
EUVD-2026-34001
AIOHTTP is Vulnerable to Deserialization of Untrusted Data...
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
Summary Using CookieJar.load with untrusted input may allow arbitrary code execution. Impact Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Workaround If an application does allow attacker controlled files to be...
PT-2026-46099
Summary Using CookieJar.load with untrusted input may allow arbitrary code execution. Impact Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Workaround If an application does allow attacker controlled files to be...
CVE-2026-34993
In CVE-2026-34993, AIOHTTP prior to 3.14.0 is vulnerable: using CookieJar.load() with untrusted input may lead to arbitrary code execution. The issue stems from deserializing untrusted data in the cookie jar. The advisory notes that most applications will be unaffected since data are user-owned, ...
Security Bulletin: Multiple vulnerabilties in IBM Rational Functional Tester / DevOps Test UI
Summary Multiple vulnerabilities were addressed in DevOps Test UI version 11.0.7 Vulnerability Details CVEID:CVE-2024-53990 DESCRIPTION: The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request...
PT-2026-45829
Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.14.0 Description Using the CookieJar.load function with untrusted input may allow arbitrary code execution. This issue is unlikely to affect many applications as most use this function with the user's own data...
OPENSUSE-SU-2026:20792-1 Security update for perl-HTTP-Tiny
This update for perl-HTTP-Tiny fixes the following issues: Changes in perl-HTTP-Tiny: - updated to 0.094 0.094 - No changes from 0.093-TRIAL 0.093 - fix to prevent invalid characters in all headers, and prevent header smuggling CVE-2026-7010 bsc1264992 - updated to 0.092 0.092 - No changes from...
Astra Linux - уязвимость в firefox, thunderbird
When the number of cookies per domain was exceeded in document.cookie, the actual cookie jar sent to the host was no longer consistent with the expected state of the cookie jar. This could result in requests being sent with some cookies missing. This vulnerability affects Firefox 116, Firefox ESR...