CVE-2026-21790

HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could allow an attacker to bypass additional authentication checks...

CVE-2026-21790 HCL Traveler is susceptible to a weak default HTTP header validation vulnerability

HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could allow an attacker to bypass additional authentication checks...

CVE-2026-1694

HTTP headers are added by the default configuration of IIS and ASP.net, and are not removed at the deployment phase of the webservices used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It unnecessarily exposes sensitive information...

USN-7612-1 python-flask-cors vulnerabilities

It was discovered that Flask-CORS did not correctly handle certain regular expressions. A remote attacker could possibly use this issue to leak sensitive information or bypass authentication mechanisms. CVE-2024-6839 It was discovered that Flask-CORS allowed certain CORS headers to be enabled by...

BIT-HUBBLE-RELAY-2025-23047 Cilium vulnerable to information leakage via insecure default Hubble UI CORS header

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An insecure default Access-Control-Allow-Origin header value could lead to sensitive data exposure for users of Cilium versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4 who...

libreswan: IKEv1 default AH/ESP responder can crash and restart

A flaw was found in Libreswan, where it was identified to contain an assertion failure issue in the computeprotokeymat function. The vulnerability can be exploited when an IKEv1 connection is loaded with an AH/ESP default setting when no esp= line is present in the connection. This flaw allows an...

SUSE CVE-2015-4147

The SoapClient::call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that defaultheaders is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a...

DEBIAN-CVE-2022-41915

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to...

HTTP Response Splitting

Overview io.jooby:jooby-netty is a netty implementation in jooby Affected versions of this package are vulnerable to HTTP Response Splitting. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting. Remediation Upgrad...

Insecure Default Headers

github.com/gravitational/teleport is contains insecure default headers for web security. By default, it does not use the Strict-Transport-Security, as well as the Content-Security-Policy headers, allowing a malicious user to conduct a man in the middle attack against it...

UBUNTU-CVE-2015-4147

The SoapClient::call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that defaultheaders is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a...

USN-2591-1 curl vulnerabilities

Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP credentials when subsequently connecting to the same host over HTTP. CVE-2015-3143 Hanno Böck discovered that curl incorrectly handled zero-length host names. If a user or automated system were tricked into using a specially...