Improper Validation of Unsafe Equivalence in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the CXF-RS or CXF-SOAP endpoints due to missing inbound filtering via setInFilterStartsWith. An attacker can execute arbitrary code and write files by injecting Camel-internal header...

F5 NGINX Open Source 安全漏洞

F5 NGINX Open Source is a high-performance web server, reverse proxy server, load balancer, and API gateway provided by the F5 company. There is a security vulnerability in F5 NGINX Open Source, which stems from the use of proxysetbody when configuring HTTP/2 traffic. This vulnerability may lead ...

CVE-2026-42035

A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to...

Axios 注入漏洞

Axios is an open-source HTTP client developed by Axios. Versions of Axios from 1.0.0 to 1.15.1 had a injection vulnerability. This vulnerability stemmed from the FormDataPart constructor function, which directly inserted the value.type into the Content-Type header without clearing the CRLF...

aiohttp 注入漏洞

aiohttp is an open-source framework developed by aio-libs, used for asynchronous HTTP client/server interactions with asyncio and Python. Prior to version 3.13.4 of AIOHTTP, there was an injection vulnerability; this vulnerability stemmed from the C parser allowing empty bytes and control...

BIT-NGINX-GATEWAY-2026-28753 NGINX ngx_mail_proxy_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngxmailsmtpmodule module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation...

PT-2026-28442

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 3.6.11 and 3.7.0-ea.2 Description Traefik’s Knative provider constructs router rules by incorporating user-provided values into rule expressions without proper sanitization. Specifically, the rules.hosts field in...

UBUNTU-CVE-2026-3633

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the soupmessagenew function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF Carriage Return Line Feed injection, occurs because the method value is not properly...

PT-2026-26175

Summary ewe's chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. Security-sensitive headers like authorization, cookie, and x-forwarded-for can be injected or overwritten by a malicious client...

MiracleLinux 8 : python3.11-3.11.13-5.el8_10 (AXSA:2026-312:06)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-312:06 advisory. cpython: wsgiref.headers.Headers allows header newline injection in Python CVE-2026-0865 cpython: IMAP command injection in user-controlled commands...

EUVD-2017-14713

Malware in sbrugna...

EUVD-2020-24388

Malware in sbrugna...

curl: curl mishandles `%0c%0b` sequences in HTTP responses leading to CRLF confusions, Headers and Cookies Injection

Summary: Hello, Actually, this bug was found unexpectedly during some security audits on a private asset, we found some differences on how burp proxy/python's requests library handles the asset's HTTP responses on a certain endpoint and how curl handles the same HTTP responses, the bug arises whe...

CVE-2023-6095

Vladimir Kononovich, a Security Researcher has found a flaw that allows for a remote code execution on the DVR. An attacker could inject malicious HTTP headers into request packets to execute arbitrary code. The manufacturer has released patch firmware for the flaw, please refer to the...

Change Request Cross-Site Scripting Vulnerability

Change Request is an open source library from XWiki Contrib. Change Request suffers from a cross-site scripting vulnerability that originates from a user without any specific privileges being able to perform script injection and remote code execution by simply inserting the appropriate headers wh...

Cross site scripting

All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \r\n carriage return line feeds characters to end the HTTP response headers and inject malicious content, like for example...

CVE-2021-37499

CRLF vulnerability in Reprise License Manager RLM web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers...

GHSA-2Q8V-QX2X-HXJX Jenkins allows HTTP Injection and Response Splitting

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via...

PluXml 跨站脚本漏洞

PluXml is a free and open source content management system that does not require a database to work. A cross-site scripting vulnerability exists in PluXML, which stems from a stored XSS vulnerability that the Article Editing feature of PluXML 5.8.7 allows to be implemented via headers or content...

UBUNTU-CVE-2020-7695

Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers...