GHSA-F5P7-9FR5-8JMJ Granian vulnerable to DoS via WSGI response header panic

Summary Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a...

Granian vulnerable to DoS via WSGI response header panic

Summary Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a...

PT-2026-38269

Name of the Vulnerable Software and Affected Versions Granian versions 0.2.0 through 2.7.3 Description Granian aborts a worker process when a WSGI application returns an invalid HTTP response header name or value. This occurs because the WSGI response conversion path utilizes .unwrap on both head...

OSV-2026-610 Memcpy-param-overlap in htx_replace_blk_value

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=504612570 Crash type: Memcpy-param-overlap Crash state: htxreplaceblkvalue httpreplaceheadervalue httpschemebasednormalize...

CVE-2026-5440

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the Content-Length header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large Content-Length val...

SUSE CVE-2026-29777

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.10, A tenant with write access to an HTTPRoute resource can inject backtick-delimited rule tokens into Traefik's router rule language via unsanitized header or query parameter match values. In shared gateway deployments, this can...

Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. CVE-2025-69226: Fixed brute-force leak of internal static file path components bsc1256020. CVE-2025-69224: Fixed unicode processing of header values could cause...

CVE-2026-29046 TinyWeb: HTTP Header Control Character Injection into CGI Environment

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables HTTP. The parser did not strictly reject dangerous control characters in header lines and header values, including CR, L...

libsoup: libsoup: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (First- vs Last-Value Wins)

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the...

libsoup: libsoup: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (First- vs Last-Value Wins)

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the...

Emby Server 安全漏洞

Emby Server is a powerful media server for individual developers. The product can be used primarily for integrated multimedia editing such as video audio and photos. A security vulnerability exists in Emby Server versions prior to 4.8.1.0 and prior to 4.9.0.0-beta, which stems from an uncleaned...

EUVD-2020-17716

Malware in sbrugna...

EUVD-2023-12835

Malicious code in bioql PyPI...

ROS-20250923-04

A vulnerability in the Python programming language interpreter CPython is related to insufficient validation of user data in Lib/email/headervalueparser.py. user data in Lib/email/headervalueparser.py. Exploitation of the vulnerability could allow an attacker acting remotely to execute a spoofing...

ROS-20250923-03

A vulnerability in the Python programming language interpreter CPython is related to insufficient validation of user data in Lib/email/headervalueparser.py. user data in Lib/email/headervalueparser.py. Exploitation of the vulnerability could allow an attacker acting remotely to execute a spoofing...

UBUNTU-CVE-2023-53439

In the Linux kernel, the following vulnerability has been resolved: net: skbpartialcsumset fix against transport header magic value skb-transportheader uses the special 0xFFFF value to mark if the transport header was set or not. We must prevent callers to accidentaly set skb-transportheader to...

CVE-2025-20244

A vulnerability in the Remote Access SSL VPN service for Cisco Secure Firewall Adaptive Security Appliance ASA Software and Cisco Secure Firewall Threat Defense FTD Software could allow a remote attacker that is authenticated as a VPN user to cause the device to reload unexpectedly, resulting in ...

CVE-2024-23644

Trillium is a composable toolkit for building internet applications with async rust. In trillium-http prior to 0.3.12 and trillium-client prior to 0.5.4, insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have...

CVE-2022-4541

The WordPress Visitors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a spoofed HTTP Header value in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

AZL-56204 CVE-2024-10603 affecting package podman for versions less than 5.6.1-2

Weaknesses in the generation of TCP/UDP source ports and some other header values in Google's gVisor allowed them to be predicted by an external attacker in some circumstances...