633 matches found
gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames
...
CVE-2026-4438
Calling gethostbyaddr or gethostbyaddrr with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification...
GNU C Library 安全漏洞
The GNU C Library is an open-source, free C programming language library published by the GNU community under the LGPL license. Versions of the GNU C Library 2.34 to 2.43 contain security vulnerabilities. These vulnerabilities arise from the gethostbyaddr or gethostbyaddrr functions potentially...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the URL validation logic due to improper handling of underscores in hostnames. An attacker can access internal resources or sensitive endpoints by submitting specially crafted URLs containing...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the URL validation logic due to improper handling of underscores in hostnames. An attacker can access internal resources or sensitive endpoints by submitting specially crafted URLs containing...
CVE-2026-25534
CVE-2026-25534 affects Spinnaker clouddriver and Orca URL validation, where underscores in hostnames were not properly handled by Java URL parsing, bypassing prior URL validation checks. Public sources (NVD/Red Hat/Snyk/OSV) confirm the impact and note that patches have been merged to be released...
CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
CVE-2026-3632
CVE-2026-3632 affects the libsoup library used to send network requests. The root cause is improper hostname validation which allows special characters to be injected into HTTP headers, enabling HTTP smuggling and, in some cases, Server-Side Request Forgery (SSRF) . The incident is contextualized...
CVE-2026-3632 Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames
A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where...
Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
GHSA-8R8J-GFHG-FW38 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
CVE-2026-21791
HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL...
CVE-2026-30953
LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL LinkRepository::create calls HtmlMeta::getFromUrl. The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-si...
EUVD-2026-10874
LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL LinkRepository::create calls HtmlMeta::getFromUrl. The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-si...
CVE-2026-30953
LinkAce is affected by CVE-2026-30953 due to missing validation for NoPrivateIpRule during link creation. The server fetches HTML metadata from user-provided URLs in LinkRepository::create() via HtmlMeta::getFromUrl(), and the NoPrivateIpRule is only applied in FetchController.php, not in the pri...
EUVD-2026-10488
HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL...
EUVD-2026-10489
HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL...
CVE-2026-21791
HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL...