45 matches found
EUVD-2026-11701
Undici has CRLF Injection in undici via upgrade option...
Undici has CRLF Injection in undici via `upgrade` option
Impact When an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: 1. Inject arbitrary HTTP headers 2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...
CVE-2026-1527
ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...
CVE-2026-1527
ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...
UBUNTU-CVE-2026-1527
ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...
CVE-2026-1527 undici is vulnerable to CRLF Injection via upgrade option
ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...
CVE-2026-1527
Undici (Node.js HTTP client) is vulnerable to a CRLF injection via the upgrade option in client.request() when user-controlled input is passed to the upgrade value. The root cause is that the upgrade value is written directly to the socket without validating header characters, allowing an attacke...
CVE-2026-1527 undici is vulnerable to CRLF Injection via upgrade option
ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...
CVE-2026-1527
ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...
EUVD-2014-1645
Malware in sbrugna...
EUVD-2018-6558
Malware in sbrugna...
EUVD-2024-1192
Malicious code in bioql PyPI...
SUSE CVE-2025-1386
When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream...
BIT-MLFLOW-2024-1593 Path Traversal via Parameter Smuggling in mlflow/mlflow
A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. Th...
mlflow vulnerable to Path Traversal
A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. Th...
CVE-2024-1593
A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. Th...
CVE-2024-1593 Path Traversal via Parameter Smuggling in mlflow/mlflow
A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. Th...
CVE-2024-1593
This CVE describes a path traversal vulnerability in the mlflow/mlflow repository caused by improper handling of URL parameters. Attackers can smuggle path traversal sequences using the ';' character in URLs to manipulate the 'params' portion and access unauthorized files or directories. The repo...
Internet Bug Bounty: CVE-2024-21733 Apache Tomcat HTTP Request Smuggling (Client- Side Desync) (CWE: 444)
SECURITY CVE-2024-21733 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 Description: Incomplete POST requests triggered an error response that could contain data fr...
SUSE CVE-2018-14663
An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing data such that the addition of a record by dnsdist, for example an OPT record when adding EDNS Client Subnet, might result in the trailing data being smuggled to the backend as a...