Lucene search
K

76 matches found

Tenable Nessus
Tenable Nessus
added 5 days ago6 views

Linux Distros Unpatched Vulnerability : CVE-2026-59883

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP- address or bare-numeric Domain values to the exact ho...

6.1CVSS6.1AI score0.00115EPSS
Exploits0References3
OSV
OSV
added 6 days ago3 views

DEBIAN-CVE-2026-59883

Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain applied ordinary suffix matching to domains such as 192.168.0.1, ::1, or 1, allowing...

6.1CVSS6.1AI score0.00115EPSS
Exploits0References1
NVD
NVD
added 6 days ago7 views

CVE-2026-59883

Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain applied ordinary suffix matching to domains such as 192.168.0.1, ::1, or 1, allowing...

6.1CVSS0.00115EPSS
Exploits0References4
OSV
OSV
added 2026/07/07 3:26 p.m.5 views

GO-2026-5890 Kerberos Hub private key (X-Kerberos-Hub-PrivateKey) leaked to cross-host redirect target due to redirect-following HTTP client without CheckRedirect in github.com/kerberos-io/agent/machinery

Kerberos Hub private key X-Kerberos-Hub-PrivateKey leaked to cross-host redirect target due to redirect-following HTTP client without CheckRedirect in github.com/kerberos-io/agent/machinery...

5.9AI score
Exploits0References2
Fedora
Fedora
added 2026/07/03 1:9 a.m.9 views

[SECURITY] Fedora 43 Update: apptainer-1.5.2-1.fc43

Apptainer provides functionality to make portable containers that can be used across host environments...

7.5CVSS5.7AI score0.00939EPSS
Exploits0
OSV
OSV
added 2026/07/02 5:33 p.m.3 views

GHSA-H5GX-45RJ-2H5J Kerberos Hub private key (X-Kerberos-Hub-PrivateKey) leaked to cross-host redirect target due to redirect-following HTTP client without CheckRedirect

Summary The Kerberos Hub upload path sends the agent's Hub credentials in the custom X-Kerberos-Hub-PrivateKey and X-Kerberos-Hub-PublicKey request headers to the operator-configured Hub URL config.HubURI. The HTTP client used &http.Client in UploadKerberosHub is constructed without a CheckRedire...

6.9CVSS5.9AI score
Exploits0References3
OSV
OSV
added 2026/07/01 9:35 p.m.5 views

GHSA-JXPM-75MH-9FP7 oras-go blob upload vulnerable to credential forwarding via unvalidated Location header

Summary oras-go follows a registry-controlled Location header during the monolithic blob upload flow and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, oras-go can send the caller's credentials t...

7.5CVSS5.8AI score
Exploits0References5
OSV
OSV
added 2026/07/01 8:17 p.m.3 views

DEBIAN-CVE-2026-55688

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without...

4CVSS5.8AI score0.00179EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/01 2:8 p.m.8 views

EUVD-2026-41003

A flaw was found in Foreman. This broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field through nested host attributes, effectively bypassing...

6.5CVSS5.7AI score0.00242EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/25 9:15 p.m.6 views

CVE-2026-11703

Missing SNI/ALPN binding on stateful session-ID resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a different SNI/ALPN than originally negotiated and, where client-authentication policy differs across virtual host...

6CVSS5.9AI score0.0021EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/25 9:15 p.m.38 views

CVE-2026-11703

The CVE-2026-11703 entry describes a vulnerability in stateful (session-ID) TLS resumption where missing SNI/ALPN binding allowed a cached session to be resumed under a different SNI/ALPN than originally negotiated. The root cause is the absence of binding checks for stateful resumption paths, wh...

7.5CVSS5.9AI score0.0021EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/25 6:43 p.m.3 views

GO-2026-5224 Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect in github.com/microsoft/kiota-http-go

Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect in github.com/microsoft/kiota-http-go...

7CVSS5.8AI score0.00505EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/11 5:18 p.m.11 views

CVE-2026-47157 aiograpi: Unsafe signup challenge path handling

aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for...

6.5CVSS5.4AI score0.00195EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/11 12:0 a.m.7 views

FreeBSD : Erlang/OTP -- httpc leaks authentication headers on cross-host redirect (d87e2466-64d4-11f1-ab11-4c526214c986)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the d87e2466-64d4-11f1-ab11-4c526214c986 advisory. https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh reports: The HTTP client httpc in...

7.1CVSS5.4AI score0.00335EPSS
Exploits0References3
FreeBSD
FreeBSD
added 2026/06/10 12:0 a.m.8 views

Erlang/OTP -- httpc leaks authentication headers on cross-host redirect

https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh reports: The HTTP client httpc in inets now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port, following the requirements of RFC 9110 section...

7.1CVSS5.5AI score0.00335EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.10 views

CVE-2026-44372

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta...

6.1CVSS5.4AI score0.00237EPSS
Exploits0References1
OSV
OSV
added 2026/05/21 7:28 p.m.34 views

GHSA-3R75-XC34-5F44 Crawlee for Python: SSRF via sitemap-derived URLs

Overview - Vulnerability type: Blind SSRF - Affected components: src/crawlee/utils/sitemap.py, src/crawlee/utils/robots.py, src/crawlee/requestloaders/sitemaprequestloader.py, and all built-in HTTP clients. - Trigger: an attacker-controlled sitemap or robots.txt containing a URL that points to an...

2.3CVSS6.4AI score0.00286EPSS
Exploits0References4
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in Pypy

Python versions 2.7.x through 2.7.16, and 3.x through 3.7.2 are affected by improper handling of Unicode encoding with an incorrect netloc during NFKC normalization. The impact is information disclosure—credentials, cookies, etc., that are cached against a given hostname. The affected components...

9.8CVSS6.7AI score0.09125EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/14 3:58 p.m.86 views

CVE-2026-44503 Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie,...

7CVSS0.00505EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 3:58 p.m.65 views

CVE-2026-44503

CVE-2026-44503 affects the RedirectHandler in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0, and similar Kiota libraries). The root cause is that when following 3xx redirects to a different host or scheme, only the Authorization header is removed; Cookie, Proxy-Auth...

7CVSS5.8AI score0.00505EPSS
Exploits0References1
Rows per page
Query Builder