CVE-2026-43995

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axios instead of using the secured wrapper. These tools include 1 OpenAPIToolkit/OpenAPIToolkit.ts, 2...

PT-2026-39183

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description Multiple tool implementations bypass the centralized HTTP security wrapper httpSecurity.ts, which is designed to provide Server-Side Request Forgery SSRF protections through deny-list validation, IP...

HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126

Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action ECA...

EUVD-2021-0119

Malware in sbrugna...

EUVD-2020-29435

Malware in sbrugna...

EUVD-2024-3212

Malicious code in bioql PyPI...

EUVD-2025-10981

Malicious code in bioql PyPI...

EUVD-2022-52721

Malicious code in bioql PyPI...

EUVD-2025-16398

Malicious code in bioql PyPI...

This Week in Spring: September 30th, 2025

Hi, Spring fans! As I write this I am about to board a flight for Colorado for the amazing Dev2Next conference! I'll be in Antwerp, Beglium for the amazing Devoxx event next week, and I'll be speaking at the Amsterdam JUG with James Ward on the Thursday after that, too! If you're around, be sure ...

CVE-2025-59347

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat job...

PT-2025-38258

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to 2.1.0 Description Dragonfly, an open source P2P-based file distribution and image acceleration system, disables TLS certificate verification in its HTTP clients. These clients are not configurable, preventing users...

GO-2025-3722 Fabio allows HTTP clients to manipulate custom headers it adds in github.com/fabiolb/fabio

Fabio allows HTTP clients to manipulate custom headers it adds in github.com/fabiolb/fabio...

CVE-2025-48865

Fabio (fabio) is an HTTP(S) and TCP router for deploying Consul-managed apps. Prior to version 1.6.6, it mishandles hop-by-hop headers, allowing clients to remove or modify X-Forwarded headers (e.g., X-Forwarded-Host, X-Forwarded-Port) that Fabio injects when routing to backends. The attack relie...

GHSA-Q7P4-7XJV-J3WF Fabio allows HTTP clients to manipulate custom headers it adds

Summary Fabio allows clients to remove X-Forwarded headers except X-Forwarded-For due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should...

Fabio allows HTTP clients to manipulate custom headers it adds

Summary Fabio allows clients to remove X-Forwarded headers except X-Forwarded-For due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should...

CVE-2020-8587

OnCommand System Manager 9.x versions prior to 9.3P20 and 9.4 prior to 9.4P3 are susceptible to a vulnerability that could allow HTTP clients to cache sensitive responses making them accessible to an attacker who has access to the system where the client runs...

CVE-2025-1948 Eclipse Jetty HTTP clients can increase memory allocation

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGSMAXHEADERLISTSIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to...

Cybercriminals Use Go Resty and Node Fetch in 13 Million Password Spraying Attempts

Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover ATO attacks on Microsoft 365 environments. Enterprise security company Proofpoint said it observed campaigns using HTTP clients Axios and Node Fetch to send HTTP requests and receive HTTP...

PT-2025-16250 · Libsoup +9 · Libsoup +9

Name of the Vulnerable Software and Affected Versions: libsoup affected versions not specified Description: A flaw was found in libsoup, where the soup multipart new from message function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server...