SUSE CVE-2026-34519

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...

SUSE CVE-2026-34520

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

SUSE CVE-2026-34525

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4...

Rack::Request accepts invalid Host characters, enabling host allowlist bypass

Summary Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be...

EUVD-2026-18478

Rack::Request accepts invalid Host characters, enabling host allowlist bypass...

GHSA-G2PF-XV49-M2H5 Rack::Request accepts invalid Host characters, enabling host allowlist bypass

Summary Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be...

EUVD-2026-18390

Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect...

Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect

Summary Rack::Sendfilemapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex...

GHSA-QV7J-4883-HWH7 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect

Summary Rack::Sendfilemapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex...

EUVD-2026-18378

Rack has quadratic complexity in Rack::Utils.selectbestencoding via wildcard Accept-Encoding header...

EUVD-2026-18423

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing...

GHSA-QFGR-CRR9-7R49 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

Summary Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header such as: http Forwarded: for="127.0.0.1;host=evil.com;proto=https" can be interpreted by Rack as...

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

Summary Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header such as: http Forwarded: for="127.0.0.1;host=evil.com;proto=https" can be interpreted by Rack as...

Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values

Summary Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result,...

GHSA-RX22-G9MX-QRHV Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values

Summary Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result,...

EUVD-2026-18417

Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values...

EUVD-2026-18368

Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass...

CVE-2026-34752

Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with proto: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4...

GHSA-X8CG-FQ8G-MXFX Rack's multipart byte range processing allows denial of service via excessive overlapping ranges

Summary Rack::Utils.getbyteranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many...

Rack's multipart byte range processing allows denial of service via excessive overlapping ranges

Summary Rack::Utils.getbyteranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many...