GHSA-P6HG-QH38-555R Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service

Summary There is a medium severity information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request's complete header set, including Authorization, Cookie,...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the errors middleware process. An attacker can obtain sensitive authentication headers, such as Authorization and Cookie, by triggering a backend response that matches the configured...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the errors middleware process. An attacker can obtain sensitive authentication headers, such as Authorization and Cookie, by triggering a backend response that matches the configured...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the errors middleware process. An attacker can obtain sensitive authentication headers, such as Authorization and Cookie, by triggering a backend response that matches the configured...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the errors middleware process. An attacker can obtain sensitive authentication headers, such as Authorization and Cookie, by triggering a backend response that matches the configured...

Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service

Summary There is a medium severity information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request's complete header set, including Authorization, Cookie,...

JLSEC-2026-397

When curl is used to retrieve and parse cookies from a HTTPS server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings...

Information Exposure

org.springframework.grpc, spring-grpc-core is vulnerable to information exposure through error messages. The vulnerability is due to returning raw server-side AuthenticationException messages in the gRPC status description, which allows an attacker to gather authentication failure details and...

PT-2026-37111

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.44 Traefik versions prior to 3.6.15 Traefik versions prior to 3.7.0-rc.3 Description An information disclosure issue exists in the errors custom error pages middleware. When a backend returns a response matching...

PT-2026-37137

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0 Description Missing error handling in the TransferManager.UploadAllFiles function allows an authenticated user to cause a daemon crash. The issue occurs during the import of a truncated or corrupted storage bucket...

Astra Linux - уязвимость в gimp

A flaw was found in GIMP when processing XCF image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing use-after-free issues...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd/pm: resolve reboot exception for si oland" This reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86. This causes hangs on SI when DC is enabled and errors on driver reboot and power off cycles...

Astra Linux - уязвимость в linux-5.10, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: ext4: Do not set SBRDONLY after filesystem errors When the filesystem is mounted with errors=remount-ro, we previously set the SBRDONLY flag to prevent any further modifications to the filesystem. We knew that this approach misse...

Astra Linux - уязвимость в linux, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix flipped sign in tlserrabort calls sk-skerr appears to expect a positive value, a convention that ktls doesn't always follow and that leads to memory corruption in other code. For instance, kworker tlsencryptdone...,...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: tracing/probes: The error check in parsebtffield has been fixed. btffindstructmember may return NULL or an error via the ERRPTR macro. However, its caller in parsebtffield only checks for the NULL condition. This issue is fixed b...

Astra Linux - уязвимость в linux-5.10, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix NULL-deref on irq uninstall In case of early initialisation errors and on platforms that do not use the DPU controller, the deinitilisation code can be called with the kms pointer set to NULL. Patchwork:...

Astra Linux - уязвимость в linux-5.15, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: media: max9286: Free control handler The control handler is leaked in some probe-time error paths, as well as in the remove path. Fix it...

Astra Linux - уязвимость в curl

When curl is instructed to use the Certificate Status Request TLS extension, also known as OCSP stapling, to verify that the server certificate is valid, it may fail to detect certain OCSP issues and instead incorrectly consider the response to be fine. If the returned status reports an error oth...

Astra Linux - уязвимость в linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: crypto: sun8i-ce-cipher – Fixed error handling in sun8icecipherprepare. Fixed two DMA cleanup issues on the error path in sun8icecipherprepare: 1 If dmamapsg fails for areq-dst, the device driver will attempt to free DMA memor...

Astra Linux - уязвимость в linux-5.15

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix connections leak when tlink setup failed If the tlink setup failed, lost to put the connections, then the module refcnt leak since the cifsd kthread not exit. Also leak the fscache info, and for next mount with fsc, it...