25 matches found
CVE-2026-44546
A flaw was found in daphne. This vulnerability arises from a parser differential where daphne reconstructs HTTP requests from Twisted's headers, but Twisted and autobahn handle certain header line separators differently. An attacker can exploit this to inject additional headers into the ASGI...
CVE-2026-44545
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...
CVE-2026-44546
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...
UBUNTU-CVE-2026-44545
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...
UBUNTU-CVE-2026-44546
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...
CVE-2026-44546
The vulnerability (CVE-2026-44546) affects the Daphne web server prior to 4.2.2. It stems from a parser differential between Twisted and Autobahn: Twisted does not treat certain bytes (0x0b, 0x0c, 0x1c, 0x1d, 0x1e, 0x85) as header separators, while Autobahn decodes header values to str and calls ...
CVE-2026-44546 Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...
CVE-2026-44546
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...
CVE-2026-44546 Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...
CVE-2026-44546
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...
EUVD-2026-34092
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...
CVE-2026-44545
CVE-2026-44545 affects daphne before 4.2.2. The issue arises because it did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn’s WebSocketServerFactory. Autobahn defaults these values to 0 (unlimited), enabling an unauthenticated remote attacker to send arbitrarily large WebSocket ...
CVE-2026-44545
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...
CVE-2026-44545
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...
CVE-2026-44545 Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of service
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...
CVE-2026-44545 Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of service
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...
EUVD-2026-34091
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...
PT-2026-45941
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat x0b, x0c, x1c, x1d, x1e, or x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...
PT-2026-45940
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...
Django daphne 输入验证错误漏洞
Daphne is an open-source ASGI protocol server developed by Django, which supports HTTP, HTTP2, and WebSocket. Versions of Daphne prior to 4.2.2 contained security vulnerabilities. These vulnerabilities were due to differences in the parser, which could allow attackers to inject additional headers...