WordPress plugin AI Chatbot & Workflow Automation by AIWU 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

CVE-2026-40074

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This...

GHSA-4P4R-M79C-WQ3V Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

Impact Apps that register custom protocol handlers via protocol.handle / protocol.registerSchemesAsPrivileged or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or...

CVE-2026-34240

JOSE is a Javascript Object Signing and Encryption JOSE library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header jwk. The vulnerability exists because key selection could tre...

PT-2026-29922

Summary Rack::Sendfilemap accel path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex...

IBM Aspera Shares 安全漏洞

IBM Aspera Shares is a Web application from International Business Machines IBM. An input validation error vulnerability exists in IBM Aspera Shares. The vulnerability stems from improper input validation of the HOST header and can be exploited by an attacker to cause cross-site scripting, cache...

CVE-2026-1527

A flaw was found in undici, a Node.js HTTP/1.1 client. This vulnerability allows a remote attacker to inject malicious data into HTTP headers or prematurely end HTTP requests by sending specially crafted input to the upgrade option of client.request. This is possible because undici does not...

Linux Distros Unpatched Vulnerability : CVE-2026-30852

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the varsregexp matcher in vars.go:337 double-expan...

CVE-2026-30852

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the varsregexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When varsregexp matches against a placeholder like http.request.header.X-Input, the...

CVE-2026-30852

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the varsregexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When varsregexp matches against a placeholder like http.request.header.X-Input, the...

Caddy's vars_regexp double-expands user input, leaking env vars and files

Summary The varsregexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When varsregexp matches against a placeholder like http.request.header.X-Input, the header value gets resolved once expected, then passed through repl.ReplaceAll again the bug. This mean...

EUVD-2024-44444

Malicious code in bioql PyPI...

GitLab 16.11 < 18.1.6 / 18.2 < 18.2.6 / 18.3 < 18.3.2 (CVE-2025-6454)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - The vulnerability exists due to insufficient validation of user-supplied input in Webhook custom header. A remote user can send a specially crafted HTTP request and trick the application to initiate...

CVE-2023-42508 JFrog Artifactory Improper header input validation leads to email manipulation sent from the platform

JFrog Artifactory prior to version 7.66.0 is vulnerable to specific endpoint abuse with a specially crafted payload, which can lead to unauthenticated users being able to send emails with manipulated email body...

CVE-2023-26148

All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n carriage return line feeds characters and inject additional headers in the request sent...

Crow Injection Vulnerability

Crow is a C++ microframework for running Web services. A security vulnerability exists in Crow that stems from vulnerability to HTTP response splitting when header values are constructed using untrusted user input, and header values in the setheader and addheader functions are not properly cleane...

Flarum 跨站脚本漏洞

Flarum is an open source forum system for the Flarum community. A cross-site scripting vulnerability exists in Flarum versions 1.5.0 through 1.6.1. An attacker exploits the vulnerability to inject malicious HTML via header input...

SolarWinds Database Performance Analyzer 跨站脚本漏洞

Solarwinds SolarWinds Database Performance Analyzer is a database performance analyzer from SolarWinds, Inc. The product is used for SQL query performance monitoring, analysis, tuning, etc. A security vulnerability exists in SolarWinds Database Performance Analyzer v2021.3.7388, which stems from ...

CVE-2020-4828

IBM API Connect 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.13 is vulnerable to web cache poisoning, caused by improper input validation by modifying HTTP request headers. IBM X-Force ID: 189842...

MTN Group: Reflected XSS on gamesclub.mtn.com.g

hello dear I have found Reflected XSS on gamesclub.mtn.com.g parameters injectable /header.aspx my payload "; HTTP Header input Referer was set to https://www.google.com/search?hl=en&q=testing'"&%gQmT9082 HTTP request =========== GET /header.aspx HTTP/1.1 Host: gamesclub.mtn.com.gh...