CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

33221 matches found

EEF-CVE-2026-48595 Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects

Summary Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison...

8.2CVSS5.8AI score0.00042EPSS

Exploits0References4

ATTACKERKB•added 2 days ago•3 views

CVE-2026-48595

Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a...

8.2CVSS5.8AI score0.00042EPSS

Exploits0References5Affected Software1

Cvelist•added 2 days ago•29 views

CVE-2026-48595 Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects

8.2CVSS0.00042EPSS

Exploits0References4

EUVD•added 2 days ago•5 views

EUVD-2026-34014

8.2CVSS5.8AI score0.00042EPSS

Exploits0References4

Vulnrichment•added 2 days ago•5 views

CVE-2026-48595 Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects

8.2CVSS5.8AI score0.00042EPSS

Exploits0References4

CVE•added 2 days ago•11 views

CVE-2026-48595

The CVE-2026-48595 entry describes an Authorization header leakage in Tesla’s Elixir Tesla middleware (FollowRedirects) due to a case-sensitive comparison against a lowercase filter list for headers like Authorization/host. HTTP header names are case-insensitive, but Tesla preserves header keys a...

8.2CVSS5.8AI score0.00042EPSS

Exploits0References4

Cvelist•added 2 days ago•25 views

CVE-2026-48598 CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.partheadersfordisposition/1 interpolates each disposition parameter as k="v" with no validation of CR \r, LF \n, o...

2.1CVSS0.00014EPSS

Exploits0References4

ATTACKERKB•added 2 days ago•4 views

CVE-2026-48598

2.1CVSS5.8AI score0.00014EPSS

Exploits0References5Affected Software1

EUVD•added 2 days ago•6 views

EUVD-2026-34012

2.1CVSS5.8AI score0.00014EPSS

Exploits0References4

OSV•added 2 days ago•3 views

EEF-CVE-2026-48598 CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection

Summary Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.partheadersfordisposition/1 interpolates each disposition parameter as k="v" with no validation of CR \r, ...

2.1CVSS5.8AI score0.00014EPSS

Exploits0References4

CVE•added 2 days ago•9 views

CVE-2026-48598

The CVE-2026-48598 entry affects the Elixir Tesla library, specifically Tesla.Multipart.part_headers_for_disposition/1. The vulnerability arises from improper encoding of disposition parameters, treating each parameter as k="v" without sanitizing CR (\r), LF (\n), or double-quote characters. Mali...

2.1CVSS5.8AI score0.00014EPSS

Exploits0References4

Vulnrichment•added 2 days ago•3 views

CVE-2026-48598 CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection

2.1CVSS5.8AI score0.00014EPSS

Exploits0References4

ATTACKERKB•added 2 days ago•4 views

CVE-2026-47265

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the cookies parameter on requests are sent after following a cross-origin redirect. If a developer uses the cookies parameter on a per-request basis then sensitive data might ...

8.7CVSS5.8AI score0.00019EPSS

Exploits0References3Affected Software1

Vulnrichment•added 2 days ago•4 views

CVE-2026-47265 AIOHTTP vulnerable to cross-origin redirect with per-request cookies

8.7CVSS5.8AI score0.00019EPSS

Exploits0References2

OSV•added 2 days ago•1 views

OPENSUSE-SU-2026:20885-1 Security update for python-Flask

This update for python-Flask fixes the following issue: - CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700...

4.3CVSS5.8AI score0.00014EPSS

Exploits0References2

NVD•added 2 days ago•5 views

CVE-2026-33244

React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP Location header value can permit Cross-Site Scripting XSS in the statically generated HTML files if the redirect location comes from an...

5.4CVSS0.00029EPSS

Exploits0References1

Vulnrichment•added 2 days ago•6 views

CVE-2026-33244 React Router has stored XSS via unescaped Location header in prerendered redirect HTML

5.4CVSS5.8AI score0.00029EPSS

Exploits0References1

Cvelist•added 2 days ago•24 views

CVE-2026-33244 React Router has stored XSS via unescaped Location header in prerendered redirect HTML

5.4CVSS0.00029EPSS

Exploits0References1

CVE•added 2 days ago•9 views

CVE-2026-33244

CVE-2026-33244 affects React Router in versions 7.5.1–7.13.1 when using Framework Mode with pre-rendering enabled. The issue is improper neutralization of the HTTP Location header value, allowing Cross-Site Scripting (XSS) in statically generated HTML if the redirect target comes from an untruste...

5.4CVSS5.8AI score0.00029EPSS

Exploits0References1Affected Software1

NVD•added 2 days ago•8 views

CVE-2026-49754

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client HTTP/2 CONTINUATION flood. When Mint's HTTP/2 receive path observes a HEADERS frame without the ENDHEADERS flag, the unparsed...

8.2CVSS0.00042EPSS

Exploits0References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by