CURL-CVE-2026-9546 sending old referer

A vulnerability in libcurl caused the HTTP Referer: header to persist even when explicitly cleared. While the documentation states that passing NULL to CURLOPTREFERER suppresses the header, the option failed to clear the internal state. As a result, the previous referrer string was erroneously...

EUVD-2026-38710

In the Linux kernel, the following vulnerability has been resolved: tun: zero the whole vnet header in tunputuser tunputuser declares an on-stack struct virtionethdrv1hashtunnel without zeroing it. For a non-tunnel skb, virtionethdrtnlfromskb only initializes the first 10 bytes sizeofstruct...

EUVD-2026-36729

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies...

CVE-2026-48856

This CVE affects Erlang OTP inets (httpc_response) where cross-origin 3xx redirects copy Authorization and Proxy-Authorization headers to the redirect target, enabling credential theft. Root cause: httpc_response:redirect/2 only updates the host field; other header fields are copied, with autored...

Amazon Linux 2023 : perl-libwww-perl, perl-libwww-perl-tests (ALAS2023-2026-1764)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1764 advisory. LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross- origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before...

CVE-2026-42553

Cinny is a Matrix client. Prior to 4.10.3, A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes for example in a DM can cause the victim's client to send their Matrix access token to an attacker-controlled server. This occurs when the victim...

CVE-2026-7168

A flaw was found in libcurl. When a user performs a transfer over an HTTP proxy using Digest authentication and then reuses the same handle for a second transfer with a different proxy host, libcurl incorrectly sends the Proxy-Authorization header intended for the first proxy to the second proxy...

MGASA-2026-0150 Updated perl-libwww-perl & perl-HTTP-Message packages fix security vulnerabilities

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects...

CVE-2026-7168 cross-proxy Digest auth state leak

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

CVE-2026-7168

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

PT-2026-39744

🚨 High - urllib3 Sensitive Header Leak & Decompression Bomb Safeguard Bypass CVE-2026-31015 & CVE-2026-31020 Two critical vulnerabilities were identified in the urllib3 library Node.js/Python. The first flaw GHSA-qccp-gfcp-xxvc allows sensitive headers like Authorization and Cookie to be leaked...

PT-2026-39745

🚨 High - urllib3 Sensitive Header Leak & Decompression Bomb Safeguard Bypass CVE-2026-31015 & CVE-2026-31020 Two critical vulnerabilities were identified in the urllib3 library Node.js/Python. The first flaw GHSA-qccp-gfcp-xxvc allows sensitive headers like Authorization and Cookie to be leaked...

PT-2026-38408

Name of the Vulnerable Software and Affected Versions microsoft-kiota-http-okHttp versions 1.9.0 and earlier kiota-dotnet affected versions not specified kiota-java affected versions not specified kiota-python affected versions not specified kiota-typescript affected versions not specified...

CURL-CVE-2026-7168 cross-proxy Digest auth state leak

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

CVE-2026-41345 OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download

OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting malicious cross-origin redirect chains to intercept sensitive authorization credentials...

AIOHTTP Leaks Cookie And Proxy-Authorization Headers On Cross-origin Redirect

Summary When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. Impact The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following...

Fedora 43 : cpp-httplib (2026-c2049f7220)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-c2049f7220 advisory. Update to 0.37.0 rhbz2441656 - Fixes Denial of Service via crafted HTTP POST request CVE-2026-29076, rhbz2445663 Update to 0.35.0 - Payload size lim...

CVE-2026-33180 HAPI FHIR HTTP authentication leak in redirects

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP...

CVE-2026-33180 HAPI FHIR HTTP authentication leak in redirects

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP...

RLSA-2023:7042 Moderate: python27:2.7 security and bug fix update

Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for...