Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

123 matches found

ATTACKERKB
ATTACKERKBadded 2026/05/25 2:0 p.m.7 views

CVE-2026-47070

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request...

9.8CVSS6.8AI score0.08031EPSS
Exploits1References5Affected Software1
EUVD
EUVDadded 2026/05/25 2:0 p.m.9 views

EUVD-2026-31689

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the host, so ...

6.9CVSS5.8AI score0.00157EPSS
Exploits1References4
Vulnrichment
Vulnrichmentadded 2026/05/25 2:0 p.m.6 views

CVE-2026-47070 HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request...

6CVSS5.8AI score0.00327EPSS
Exploits1References4
Vulnrichment
Vulnrichmentadded 2026/05/25 2:0 p.m.8 views

CVE-2026-47076 SSRF allowlist bypass via percent-encoded host in hackney

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the host, so ...

6.9CVSS5.8AI score0.00157EPSS
Exploits1References4
EUVD
EUVDadded 2026/05/25 2:0 p.m.9 views

EUVD-2026-31692

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request...

6CVSS5.8AI score0.00327EPSS
Exploits1References4
CVE
CVEadded 2026/05/25 2:0 p.m.53 views

CVE-2026-47076

CVE-2026-47076 affects the hackney HTTP client (from 0.13.0 up to, but not including, 4.0.1). The issue1 arises because hackney_url:normalize/2 decodes the host after parsing, while OTP’s uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes, allowing a crafted URL such as htt...

6.9CVSS5.8AI score0.00157EPSS
Exploits1References4Affected Software1
OSV
OSVadded 2026/05/25 2:0 p.m.4 views

EEF-CVE-2026-47070 HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney

Summary Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3...

6CVSS5.8AI score0.00327EPSS
Exploits1References4
CVE
CVEadded 2026/05/25 2:0 p.m.14 views

CVE-2026-47070

The vulnerability CVE-2026-47070 affects the Hackney HTTP client. It specifically concerns the HTTP/3 redirect handler (src/hackney_h3.erl) which forwards the original request headers to the redirect target without any cross-origin checking when follow_redirect is enabled. This causes Authorizati...

6.1CVSS5.8AI score0.00327EPSS
Exploits1References4Affected Software1
OSV
OSVadded 2026/05/25 2:0 p.m.6 views

EEF-CVE-2026-47076 SSRF allowlist bypass via percent-encoded host in hackney

Summary Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the...

6.9CVSS5.8AI score0.00157EPSS
Exploits1References4
ATTACKERKB
ATTACKERKBadded 2026/05/25 2:0 p.m.6 views

CVE-2026-47075

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return \r or line feed \n characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar define...

6.8CVSS5.9AI score0.00394EPSS
Exploits1References5
OSV
OSVadded 2026/05/25 2:0 p.m.6 views

EEF-CVE-2026-47075 CR/LF injection in query parameter in hackney

Summary Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return \r or line feed \n characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the gramma...

6.8CVSS5.9AI score0.00394EPSS
Exploits1References4
EUVD
EUVDadded 2026/05/25 2:0 p.m.11 views

EUVD-2026-31687

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return \r or line feed \n characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar define...

6.8CVSS5.9AI score0.00394EPSS
Exploits1References4
Vulnrichment
Vulnrichmentadded 2026/05/25 2:0 p.m.7 views

CVE-2026-47075 CR/LF injection in query parameter in hackney

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return \r or line feed \n characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar define...

6.8CVSS5.9AI score0.00394EPSS
Exploits1References4
CVE
CVEadded 2026/05/25 2:0 p.m.21 views

CVE-2026-47075

CVE-2026-47075 describes a CRLF injection in Hackney’s URL query handling. Hackney does not percent-encode CR/LF characters in the query string before forming the HTTP/1.1 request target, allowing an attacker who controls the URL to inject raw CRLF sequences and potentially perform HTTP header in...

7.5CVSS5.9AI score0.00394EPSS
Exploits1References4Affected Software1
Cvelist
Cvelistadded 2026/05/25 2:0 p.m.37 views

CVE-2026-47075 CR/LF injection in query parameter in hackney

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return \r or line feed \n characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar define...

6.8CVSS0.00394EPSS
Exploits1References4
Cvelist
Cvelistadded 2026/05/25 2:0 p.m.32 views

CVE-2026-47077 Unbounded body accumulation in HTTP/3 response loop in hackney

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackneyh3:awaitresponseloop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk,...

8.2CVSS0.0067EPSS
Exploits1References4
ATTACKERKB
ATTACKERKBadded 2026/05/25 2:0 p.m.6 views

CVE-2026-47077

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackneyh3:awaitresponseloop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk,...

8.2CVSS5.9AI score0.0067EPSS
Exploits1References5Affected Software1
EUVD
EUVDadded 2026/05/25 2:0 p.m.7 views

EUVD-2026-31688

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackneyh3:awaitresponseloop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk,...

8.2CVSS5.9AI score0.0067EPSS
Exploits1References4
Vulnrichment
Vulnrichmentadded 2026/05/25 2:0 p.m.6 views

CVE-2026-47077 Unbounded body accumulation in HTTP/3 response loop in hackney

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackneyh3:awaitresponseloop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk,...

8.2CVSS5.9AI score0.0067EPSS
Exploits1References4
CVE
CVEadded 2026/05/25 2:0 p.m.16 views

CVE-2026-47077

The CVE affects hackney (versions 2.0.0–4.0.0) due to an unbounded in-memory accumulation in hackney_h3:await_response_loop/6, where HTTP/3 response chunks are buffered without a cap. A malicious server can keep sending small chunks, preventing loop termination and exhausting the BEAM heap, leadi...

8.2CVSS5.9AI score0.0067EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder