Astra Linux - уязвимость в squid

In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, a Denial of Service can occur when processing long Gopher server responses due to improper buffer management...

JLSEC-2026-398

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTPS URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request HTTP...

Astra Linux - уязвимость в squid

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggeri...

Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations

Required Permissions The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" "Create assets in the volume" Details The implementation fails to restrict the URL Scheme. While the application is intended to "upload assets", there is no...

GHSA-3M9M-24VH-39WX Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations

Required Permissions The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" "Create assets in the volume" Details The implementation fails to restrict the URL Scheme. While the application is intended to "upload assets", there is no...

CVE-2026-35187

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parseurls API function in src/pyload/core/api/init.py fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated...

CVE-2026-35187

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parseurls API function in src/pyload/core/api/init.py fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated...

CVE-2026-35187

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parseurls API function in src/pyload/core/api/init.py fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated...

CVE-2026-35187

CVE-2026-35187 affects pyload/pyload-ng prior to 0.5.0b3.dev97, where parse_urls(...) calls get_url(url) without URL validation, protocol restriction, or IP blacklist. This enables Server-Side Request Forgery (SSRF) via crafted URLs and multi‑protocol support (http/https, file://, gopher://, dict...

PT-2026-30319

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The parse urls API function in src/pyload/core/api/ init .py line 556 fetches arbitrary URLs server-side via get urlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permissi...

Experts Detect Pakistan-Linked Cyber Campaigns Aimed at Indian Government Entities

Indian government entities have been targeted in two campaigns undertaken by a threat actor that operates in Pakistan using previously undocumented tradecraft. The campaigns have been codenamed Gopher Strike and Sheet Attack by Zscaler ThreatLabz, which identified them in September 2025. "While...

MiracleLinux 8 : squid:4 (AXSA:2022-3793:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-3793:01 advisory. squid: DoS when processing gopher server responses CVE-2021-46784 Tenable has extracted the preceding description block directly from the MiracleLinux securi...

MiracleLinux 7 : squid-3.5.20-17.el7.10 (AXSA:2024-7673:03)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7673:03 advisory. squid: denial of service in HTTP header parser CVE-2024-25617 squid: denial of service in HTTP request parsing CVE-2023-50269 squid: Buffer over-rea...

MiracleLinux 7 : squid-3.5.20-17.el7.7 (AXSA:2022-3510:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-3510:01 advisory. squid: DoS when processing gopher server responses CVE-2021-46784 Tenable has extracted the preceding description block directly from the MiracleLinux securi...

MiracleLinux 9 : squid-5.2-1.el9.1 (AXSA:2022-4015:03)

The remote MiracleLinux 9 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2022-4015:03 advisory. squid: DoS when processing gopher server responses CVE-2021-46784 Tenable has extracted the preceding description block directly from the MiracleLinux securi...

MiracleLinux 9 : squid-5.5-6.el9_3.5 (AXSA:2024-7340:01)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2024-7340:01 advisory. squid: Denial of Service in SSL Certificate validation CVE-2023-46724 squid: NULL pointer dereference in the gopher protocol code CVE-2023-46728...

MiracleLinux 8 : squid:4 (AXSA:2024-7404:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7404:01 advisory. squid: Denial of Service in SSL Certificate validation CVE-2023-46724 squid: NULL pointer dereference in the gopher protocol code CVE-2023-46728...

curl: Gopher Protocol Command Injection (SSRF Smuggling)

Summary The curl Gopher protocol handler is vulnerable to command injection through URL-encoded CRLF sequences in the path. This allows an attacker to "smuggle" additional Gopher selectors or arbitrary commands into a single Gopher request. By using %0d%0a in the URL, an attacker can break the...

CVE-1999-0124

Vulnerabilities in UMN gopher and gopher+ versions 1.12 and 2.0x allow an intruder to read any files that can be accessed by the gopher daemon...

CVE-1999-0640

The Gopher service is running...