34 matches found
EulerOS 2.0 SP13 : golang (EulerOS-SA-2026-2334)
According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.CVE-2026-25679 Actions which insert URLs into the...
CVE-2026-27145 Inefficient candidate hostname parsing in crypto/x509
x509.Certificate.VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name SAN entries. This caused strings.Splithost, "." to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number...
GO-2026-5037 Inefficient candidate hostname parsing in crypto/x509
x509.Certificate.VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name SAN entries. This caused strings.Splithost, "." to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number...
GHSA-HH8V-HGVP-G3F5 league/commonmark has an embed extension allowed_domains bypass
Impact The DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This enabl...
league/commonmark has an embed extension allowed_domains bypass
Impact The DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This enabl...
GHSA-7GCC-R8M5-44QM Koa has Host Header Injection via ctx.hostname
Summary Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol e.g., evil.com:[email protected] is received,...
Koa has Host Header Injection via ctx.hostname
Summary Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol e.g., evil.com:[email protected] is received,...
CVE-2026-27959
A flaw was found in Koa’s ctx.hostname API used in Node.js applications. The function incorrectly parses specially crafted HTTP Host headers containing an @ character, which can cause the extracted hostname value to differ from the intended origin. An attacker can exploit this behavior by sending...
CVE-2026-27959
Koa (Node.js) prior to versions 3.1.2 and 2.16.4 exposes a vulnerability in ctx.hostname: it naively parses the Host header and returns an attacker-controlled value when the header contains an invalid RFC 3986 hostname (e.g., with a @). This can affect URL generation, password reset links, email ...
PT-2026-22104
Name of the Vulnerable Software and Affected Versions Koa versions prior to 3.1.2 Koa versions prior to 2.16.4 Description Koa middleware for Node.js, using ES2017 async functions, has an issue where the ctx.hostname API improperly parses the HTTP Host header. The parsing does not validate input...
PT-2026-26486
Name of the Vulnerable Software and Affected Versions league/commonmark versions 2.3.0 through 2.8.1 Description The DomainFilteringAdapter within the Embed extension is susceptible to an allowlist bypass because of a missing hostname boundary assertion in the domain-matching regular expression. ...
Security update for librsvg
This update for librsvg fixes the following issues: Update to version 2.52.12. CVE-2024-12224: idna: incorrect hostname comparisons and URL parsing may be performed due to acceptance of Punycode labels that do not produce any non-ASCII output when decoded bsc1243867. CVE-2024-43806: rustix:...
SUSE-SU-2025:4411-1 Security update for librsvg
This update for librsvg fixes the following issues: Update to version 2.52.12. - CVE-2024-12224: idna: incorrect hostname comparisons and URL parsing may be performed due to acceptance of Punycode labels that do not produce any non-ASCII output when decoded bsc1243867. - CVE-2024-43806: rustix:...
Security update for afterburn
This update for afterburn fixes the following issues: Update to version 5.9.0.git21.a73f509. Security issues fixed: CVE-2022-24713: regex: no proper complexity limitation when parsing untrusted regular expressions with large repetitions on empty sub-expressions can lead to excessive resource...
SUSE-SU-2025:3785-1 Security update for afterburn
This update for afterburn fixes the following issues: Update to version 5.9.0.git21.a73f509. Security issues fixed: - CVE-2022-24713: regex: no proper complexity limitation when parsing untrusted regular expressions with large repetitions on empty sub-expressions can lead to excessive resource...
Security update for snpguest
This update for snpguest fixes the following issues: CVE-2024-12224: idna: acceptance of Punycode labels that do not produce any non-ASCII output may lead to incorrect hostname comparisons and incorrect URL parsing bsc1243869. CVE-2025-3416: openssl: use-after-free in Md::fetch and Cipher::fetch...
SUSE-SU-2025:03445-1 Security update for snpguest
This update for snpguest fixes the following issues: - CVE-2024-12224: idna: acceptance of Punycode labels that do not produce any non-ASCII output may lead to incorrect hostname comparisons and incorrect URL parsing bsc1243869. - CVE-2025-3416: openssl: use-after-free in Md::fetch and...
CLSA-2024-1709562468 Fix CVE(s): CVE-2023-6004, CVE-2023-6918
SECURITY UPDATE: ProxyCommand/ProxyJump features allow injection of malicious code through hostname - debian/patches/CVE-2023-6004-pre1.patch: move common parser functions to configparser.c - debian/patches/CVE-2023-6004-pre2.patch: prevent possible segmentation fault -...
OESA-2024-1041 libssh security update
The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote...
PT-2023-13797 · Modem · Modem
Name of the Vulnerable Software and Affected Versions: Modem affected versions not specified Description: The issue is related to information disclosure due to a buffer over-read in the Modem while parsing DNS hostname. Recommendations: At the moment, there is no information about a newer version...