5020 matches found
CVE-2026-39507
Unauthenticated Cross Site Scripting XSS in Social Slider Feed = 2.3.2 versions...
CVE-2026-39434
Shop manager PHP Object Injection in CTX Feed = 6.6.26 versions...
CVE-2026-39441
Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free = 5.3 versions...
Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
Summary Before reading the first request-line, HttpObjectDecoder skips every byte for which Character.isISOControlb is true 0x00–0x1F and 0x7F as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance...
CVE-2026-39507
The CVE-2026-39507 entry refers to the WordPress Social Slider Feed plugin, affected in versions <= 2.3.2, with an unauthenticated Cross Site Scripting (XSS) vulnerability. The issue is described as unauthenticated XSS in Social Slider Feed
CVE-2026-39507 WordPress Social Slider Feed plugin <= 2.3.2 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in Social Slider Feed = 2.3.2 versions...
CVE-2026-39441 WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability
Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free = 5.3 versions...
CVE-2026-39441
CVE-2026-39441 affects the WordPress plugin Feed KuantoKusta for WooCommerce – Free, version
CVE-2026-39434 WordPress CTX Feed plugin <= 6.6.26 - PHP Object Injection vulnerability
Shop manager PHP Object Injection in CTX Feed = 6.6.26 versions...
CVE-2026-39434
CVE-2026-39434 affects WordPress CTX Feed plugin (WebAppick CTX Feed) versions
GHSA-M6QW-4CW2-HM4M aiohttp: CRLF injection in multipart headers
Summary Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. Impact In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.appendheaders=... or Payload.headers, the...
GHSA-HMW2-7CC7-3QXX form-data: CRLF injection in form-data via unescaped multipart field names and filenames
Summary form-data builds multipart/form-data request bodies. Through v4.0.5, the field name passed to FormDataappend and the filename option are concatenated directly into the Content-Disposition header with no escaping of CR \r, LF \n, or ". An application that uses untrusted input as a field na...
PT-2026-49371
Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free = 5.3 versions...
PT-2026-49369
Shop manager PHP Object Injection in CTX Feed = 6.6.26 versions...
UBUNTU-CVE-2026-43966
Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cowhttpstructhd:escapestring/2 in cowlib only escapes \ and ", passing all other byt...
PT-2026-49389
Unauthenticated Cross Site Scripting XSS in Social Slider Feed = 2.3.2 versions...
CVE-2026-42850
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as su...
DEBIAN-CVE-2026-12143
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...
CVE-2026-12143
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...
UBUNTU-CVE-2026-12143
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...