JLSEC-2026-388

A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number...

JLSEC-2026-389

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like http://example.com%2F127.0.0.1/, would be allowed bythe parser and get...

JLSEC-2026-413 When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could...

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but...

JLSEC-2026-424 curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was...

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more...

Security Bulletin:Requests SSL Verification Issue Fixed in 2.32.0

Summary Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value ...

Weak Password Recovery Mechanism for Forgotten Password

Overview phpbb/phpbb is a Forum Software application. Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the forceservervars configuration being disabled. An attacker can cause password reset emails to contain links to attacker-controll...

CVE-2026-29199

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When forceservervars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Hos...

EUVD-2026-26892

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When forceservervars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Hos...

CVE-2026-29199

CVE-2026-29199 affects phpBB prior to 3.3.16. The issue is a Host Header Injection in which, when force_server_vars is disabled, the server hostname is sourced from the HTTP Host header to build the password reset URL. An attacker who can control or influence the Host header can cause password re...

CVE-2026-29199

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When forceservervars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Hos...

CVE-2026-29199

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When forceservervars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Hos...

CVE-2026-29199

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When forceservervars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Hos...

Malicious code in @apple-pay-trust/destroy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6515019a886959d905d728f0fdcebeb16aa3e62bcf2e2643c0424ba87aeb8f79 The package @apple-pay-trust/destroy was found to contain malicious code. Source: ghsa-malware...

CVE-2026-7719

A security flaw has been discovered in Totolink WA300 5.2cu.7112B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument httphost results in buffer overflow. The attack may be launched...

CVE-2026-7721

Totolink WA300 5.2cu.7112_B20190227 is affected via /cgi-bin/cstecgi.cgi NTPSyncWithHost. The vulnerability arises from manipulating the hostTime argument in NTPSyncWithHost, enabling remote command injection. Reported exploitability is network-based with low privilege requirements and no user in...

EUVD-2026-26870

A security flaw has been discovered in Totolink WA300 5.2cu.7112B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument httphost results in buffer overflow. The attack may be launched...

CVE-2026-7719 Totolink WA300 POST Request cstecgi.cgi loginauth buffer overflow

A security flaw has been discovered in Totolink WA300 5.2cu.7112B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument httphost results in buffer overflow. The attack may be launched...

CVE-2026-7719

A security flaw has been discovered in Totolink WA300 5.2cu.7112B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument httphost results in buffer overflow. The attack may be launched...

CVE-2026-7719

The CVE-2026-7719 entry describes a buffer overflow in Totolink WA300’s /cgi-bin/cstecgi.cgi loginauth handler (affected component: POST Request Handler). Specifically, manipulation of the http_host argument can overflow a buffer, enabling a remote attack. Public exploit details are indicated (ex...

Malicious code in @bcs-adapters/core-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 03871adba35cfbd98c46538c5e9d0249287bcc583bbf32fe1561eac467b2c5d8 The package @bcs-adapters/core-adapter was found to contain malicious code. Source: ghsa-malware...