3718 matches found
SUSE-SU-2026:1198-1 Security update for ignition
This update for ignition fixes the following issue: - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260251...
Security update for ignition
This update for ignition fixes the following issue: CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260251 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...
SUSE-SU-2026:1197-1 Security update for ignition
This update for ignition fixes the following issue: - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260251...
CVE-2026-35213 Regular Expression Denial of Service (ReDoS) in @hapi/content HTTP header parsing
@hapi/content provided HTTP Content- headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns...
BIT-NODE-MIN-2026-21710
A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...
@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing
All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This has been...
CVE-2026-34767 Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle / protocol.registerSchemesAsPrivileged or modify response headers via...
CVE-2025-66485
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...
EUVD-2025-209182
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...
CVE-2025-66485 Multiple vulnerabilities have been addressed in IBM Aspera Shares
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...
CVE-2025-66485 Multiple vulnerabilities have been addressed in IBM Aspera Shares
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...
CVE-2025-66485
IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...
CVE-2026-34514
A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. A remote attacker, by manipulating the contenttype parameter, could inject additional HTTP headers. This could lead to unexpected behavior or bypass certain security measures within applications...
Amazon Linux 2023 : python3.13-tornado (ALAS2023-2026-1528)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1528 advisory. Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers where it could be used for head...
UBUNTU-CVE-2026-21710
A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...
CVE-2026-33433
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when headerField is configured with a non-canonical HTTP header name e.g., x-auth-user instead of X-Auth-User, an authenticated attacker can inject their own canonical version of that header to...
SUSE SLES15 Security Update : salt (SUSE-SU-2026:1028-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1028-1 advisory. - Security issues fixed: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: Fixed DoS vi...
SUSE SLES15 / openSUSE 15 Security Update : salt (SUSE-SU-2026:1029-1)
The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1029-1 advisory. - Security issues fixed: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725...
CVE-2025-14807
IBM InfoSphere Information Server is affected by CVE-2025-14807 due to HTTP header injection from improper HOST header validation. Affected versions are InfoSphere Information Server 11.7.0.0 through 11.7.1.6. IBM lists remediation to upgrade to 11.7.1.0 or 11.7.1.6, including 11.7.1.6 Service Pa...
WeChat Pay callback signature verification bypassed when Host header is localhost
Summary The verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header,...