Lucene search
K

44 matches found

Tenable Nessus
Tenable Nessus
added 5 days ago6 views

libcurl 7.46.0 < 8.21.0 Super Cookie PSL Bypass (CVE-2026-8924)

The version of libcurl installed on the remote host is 7.46.0 prior to 8.21.0. It is, therefore, affected by a cookie injection vulnerability: - A flaw in curl's cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an...

9.1CVSS6.1AI score0.00649EPSS
Exploits1References2
NVD
NVD
added 2026/07/03 7:16 a.m.7 views

CVE-2026-8924

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...

9.1CVSS0.00649EPSS
Exploits1References3
Debian CVE
Debian CVE
added 2026/07/01 7:40 p.m.6 views

CVE-2026-55688

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without...

4CVSS5.8AI score0.00179EPSS
Exploits0
Cvelist
Cvelist
added 2026/07/01 7:40 p.m.38 views

CVE-2026-55688 AsyncHttpClient: Cookie stored for an unrelated domain (cookie tossing) via ThreadSafeCookieStore

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without...

4CVSS0.00179EPSS
Exploits0References2
OSV
OSV
added 2026/06/24 2:0 p.m.3 views

UBUNTU-CVE-2026-8924

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...

9.1CVSS6.1AI score0.00649EPSS
Exploits1References4
OSV
OSV
added 2026/06/24 8:0 a.m.5 views

CURL-CVE-2026-8924 trailing dot domain super cookie

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set "super cookies" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains...

9.1CVSS5.9AI score0.00649EPSS
Exploits1
NVD
NVD
added 2026/06/23 4:17 p.m.11 views

CVE-2026-55767

Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::valida...

5.8CVSS0.00111EPSS
Exploits0References1
OSV
OSV
added 2026/06/22 4:32 p.m.5 views

CVE-2026-54279 AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. This vulnerability is fixed in 3.14.1...

5.3CVSS6AI score0.00279EPSS
Exploits0References4
CVE
CVE
added 2026/06/22 4:32 p.m.54 views

CVE-2026-54279

CVE-2026-54279 affects the aiohttp library (Python asyncio framework). Prior to version 3.14.1, host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() may lose their host-only status, effectively becoming domain cookies. The issue is fixed in aiohttp 3.14.1. Affect...

7.5CVSS5.8AI score0.00279EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 8:8 p.m.9 views

aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

Summary Host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed. ----- Patch:...

7.5CVSS5.3AI score0.00279EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/15 8:8 p.m.11 views

GHSA-2FQR-MR3J-6WP8 aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

Summary Host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed. ----- Patch:...

5.3CVSS5.4AI score0.00279EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.3 views

Astra Linux – Vulnerability in Firefox and Thunderbird

When the number of cookies per domain was exceeded in document.cookie, the actual cookie jar sent to the host was no longer consistent with the expected state of the cookie jar. This could result in requests being sent with some cookies missing. This vulnerability affects Firefox 116, Firefox ESR...

7.5CVSS6.7AI score0.00614EPSS
Exploits0References2
OSV
OSV
added 2026/03/24 4:33 p.m.1 views

GHSA-GMFG-3V4Q-9QR4 Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting

Impact Official Weighted Severity Rating: Low This exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, any other value other than unconfigured should be very carefully evaluated regardles...

2.1CVSS5.9AI score0.00226EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.18 views

PT-2026-27623

Name of the Vulnerable Software and Affected Versions Authelia versions 4.39.15 Description Authelia is an open-source authentication and authorization server. An attacker may potentially be able to inject javascript into the Authelia login page if specific conditions are met, including...

2.1CVSS6AI score0.00226EPSS
Exploits1References4
Hacker One
Hacker One
added 2025/12/22 4:34 p.m.15 views

curl: Public-suffix cookie injection when libpsl is disabled

Summary: When libcurl is built without libpsl, Domain attribute validation accepts public suffixes like .co.uk, allowing a malicious host to plant cookies that are later sent to unrelated sibling domains using the same cookie jar. AI assistance was used to draft this report. Steps to Reproduce: 1...

6.6AI score
Exploits0
EUVD
EUVD
added 2025/10/03 8:7 p.m.10 views

EUVD-2025-14754

Malicious code in bioql PyPI...

8.6CVSS6.4AI score0.00423EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2025/04/14 11:15 p.m.10 views

CVE-2025-31491 AutoGPT allows leakage of cross-domain cookies and protected headers in requests redirect

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows of leakage of cross-domain cookies and protected headers in requests redirect. AutoGPT uses a wrapper around the requests...

8.6CVSS6.7AI score0.00423EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/04/14 11:15 p.m.27 views

CVE-2025-31491 AutoGPT allows leakage of cross-domain cookies and protected headers in requests redirect

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows of leakage of cross-domain cookies and protected headers in requests redirect. AutoGPT uses a wrapper around the requests...

8.6CVSS0.00423EPSS
Exploits1References1
CNNVD
CNNVD
added 2025/04/14 12:0 a.m.6 views

AutoGPT 信息泄露漏洞

AutoGPT is a tool from AutoGPT Open Source. Used to enable everyone to use and build accessible AI. An information disclosure vulnerability exists in versions of AutoGPT prior to 0.6.1 that stems from the presence of cross-domain cookies and protected header disclosure in request redirects...

8.6CVSS5.9AI score0.00423EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2024/05/15 12:0 a.m.3 views

PT-2024-40303 · Artax · Artax

Name of the Vulnerable Software and Affected Versions: artax versions prior to 1.0.6 artax versions 2 prior to 2.0.6 Description: The issue allowed cookies of foo.bar.example.com to be leaked to foo.bar. Furthermore, any site could set cookies for any other site. This was resolved by artax...

7AI score
Exploits0References6
Rows per page
Query Builder