Astra Linux - уязвимость в squid

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggeri...

Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations

Required Permissions The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" "Create assets in the volume" Details The implementation fails to restrict the URL Scheme. While the application is intended to "upload assets", there is no...

CVE-2026-35187

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parseurls API function in src/pyload/core/api/init.py fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated...

CVE-2026-35187

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parseurls API function in src/pyload/core/api/init.py fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated...

CVE-2026-35187

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parseurls API function in src/pyload/core/api/init.py fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated...

CVE-2026-35187

CVE-2026-35187 affects pyload/pyload-ng prior to 0.5.0b3.dev97, where parse_urls(...) calls get_url(url) without URL validation, protocol restriction, or IP blacklist. This enables Server-Side Request Forgery (SSRF) via crafted URLs and multi‑protocol support (http/https, file://, gopher://, dict...

PT-2026-30319

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The parse urls API function in src/pyload/core/api/ init .py line 556 fetches arbitrary URLs server-side via get urlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permissi...

MiracleLinux 7 : squid-3.5.20-17.el7.10 (AXSA:2024-7673:03)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7673:03 advisory. squid: denial of service in HTTP header parser CVE-2024-25617 squid: denial of service in HTTP request parsing CVE-2023-50269 squid: Buffer over-rea...

MiracleLinux 9 : squid-5.5-6.el9_3.5 (AXSA:2024-7340:01)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2024-7340:01 advisory. squid: Denial of Service in SSL Certificate validation CVE-2023-46724 squid: NULL pointer dereference in the gopher protocol code CVE-2023-46728...

curl: Gopher Protocol Command Injection (SSRF Smuggling)

Summary The curl Gopher protocol handler is vulnerable to command injection through URL-encoded CRLF sequences in the path. This allows an attacker to "smuggle" additional Gopher selectors or arbitrary commands into a single Gopher request. By using %0d%0a in the URL, an attacker can break the...

curl: CRLF Injection in Gopher Protocol (`lib/gopher.c`)

Control characters slip through during URL handling in curl’s Gopher setup. Though null bytes get blocked by the REJECTZERO setting, returns and line feeds remain permitted. A specially built address using percent-encoded breaks - like %0D%0A - opens room for command insertion. Because of how...

curl: Protocol Smuggling / CRLF Injection via Gopher Protocol allows Arbitrary Command Injection

Summary: I have discovered that the Gopher protocol implementation in curl fails to properly sanitize newline characters %0d%0 in the selector path. This allows an attacker to inject arbitrary TCP commands when curl connects to a target server via gopher://. This vulnerability enables Protocol...

Alibaba Cloud Linux 3 : 0020: squid:4 (ALINUX3-SA-2024:0020)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2024:0020 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2023-46724: Squid is a caching proxy f...

Linux Distros Unpatched Vulnerability : CVE-2023-46728

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service...

PT-2025-7409 · Hitachi Vantara · Hitachi Vantara Pentaho Business Analytics Server

Name of the Vulnerable Software and Affected Versions: Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.0 Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.3.0.9 Hitachi Vantara Pentaho Business Analytics Server version 8.3.x Description: The web serv...

squid: NULL pointer dereference in the gopher protocol code

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid. This issue may lead to a remote denial ...

RHEL 7 : squid (RHSA-2024:1787)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1787 advisory. Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fixes: squid: deni...

EulerOS 2.0 SP8 : squid (EulerOS-SA-2024-1301)

According to the versions of the squid package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6....

Huawei EulerOS: Security Advisory for squid (EulerOS-SA-2024-1301)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] [DSA 5637-1] squid security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5637-1 [email protected] https://www.debian.org/security/ Markus Koschany March 08, 2024 https://www.debian.org/security/faq -...