Lucene search
K

3718 matches found

OSV
OSV
added 2026/04/07 10:25 a.m.4 views

SUSE-SU-2026:1198-1 Security update for ignition

This update for ignition fixes the following issue: - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260251...

9.1CVSS5.8AI score0.01557EPSS
Exploits1References3
SUSE Linux
SUSE Linux
added 2026/04/07 10:25 a.m.3 views

Security update for ignition

This update for ignition fixes the following issue: CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260251 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...

8.6CVSS5.9AI score0.01557EPSS
Exploits1References4
OSV
OSV
added 2026/04/07 10:25 a.m.3 views

SUSE-SU-2026:1197-1 Security update for ignition

This update for ignition fixes the following issue: - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260251...

9.1CVSS5.8AI score0.01557EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/06 8:8 p.m.17 views

CVE-2026-35213 Regular Expression Denial of Service (ReDoS) in @hapi/content HTTP header parsing

@hapi/content provided HTTP Content- headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns...

8.7CVSS0.00413EPSS
Exploits0References2
OSV
OSV
added 2026/04/06 7:58 a.m.2 views

BIT-NODE-MIN-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

7.5CVSS7.2AI score0.26356EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/04 4:23 a.m.9 views

@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing

All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This has been...

8.7CVSS5.4AI score0.00413EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/03 11:43 p.m.22 views

CVE-2026-34767 Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle / protocol.registerSchemesAsPrivileged or modify response headers via...

5.9CVSS0.00211EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/03 5:8 a.m.7 views

CVE-2025-66485

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

5.4CVSS5.9AI score0.002EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/02 12:31 a.m.4 views

EUVD-2025-209182

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

5.4CVSS5.9AI score0.002EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/01 11:1 p.m.19 views

CVE-2025-66485 Multiple vulnerabilities have been addressed in IBM Aspera Shares

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

5.4CVSS0.002EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/01 11:1 p.m.2 views

CVE-2025-66485 Multiple vulnerabilities have been addressed in IBM Aspera Shares

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

5.4CVSS5.9AI score0.002EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/01 11:1 p.m.3 views

CVE-2025-66485

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

5.4CVSS5.9AI score0.002EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/01 10:50 p.m.6 views

CVE-2026-34514

A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. A remote attacker, by manipulating the contenttype parameter, could inject additional HTTP headers. This could lead to unexpected behavior or bypass certain security measures within applications...

6.9CVSS5.8AI score0.00315EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/04/01 12:0 a.m.12 views

Amazon Linux 2023 : python3.13-tornado (ALAS2023-2026-1528)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1528 advisory. Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers where it could be used for head...

8.7CVSS6.6AI score0.00396EPSS
Exploits0References10
OSV
OSV
added 2026/03/30 8:16 p.m.4 views

UBUNTU-CVE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

7.5CVSS7.3AI score0.26356EPSS
Exploits0References3
NVD
NVD
added 2026/03/27 3:16 p.m.7 views

CVE-2026-33433

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when headerField is configured with a non-canonical HTTP header name e.g., x-auth-user instead of X-Auth-User, an authenticated attacker can inject their own canonical version of that header to...

8.8CVSS0.00469EPSS
Exploits1References8
Tenable Nessus
Tenable Nessus
added 2026/03/26 12:0 a.m.7 views

SUSE SLES15 Security Update : salt (SUSE-SU-2026:1028-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1028-1 advisory. - Security issues fixed: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: Fixed DoS vi...

7.5CVSS6.8AI score0.01525EPSS
Exploits0References16
Tenable Nessus
Tenable Nessus
added 2026/03/26 12:0 a.m.4 views

SUSE SLES15 / openSUSE 15 Security Update : salt (SUSE-SU-2026:1029-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1029-1 advisory. - Security issues fixed: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725...

7.5CVSS6.8AI score0.01525EPSS
Exploits0References16
CVE
CVE
added 2026/03/25 8:46 p.m.15 views

CVE-2025-14807

IBM InfoSphere Information Server is affected by CVE-2025-14807 due to HTTP header injection from improper HOST header validation. Affected versions are InfoSphere Information Server 11.7.0.0 through 11.7.1.6. IBM lists remediation to upgrade to 11.7.1.0 or 11.7.1.6, including 11.7.1.6 Service Pa...

6.5CVSS5.6AI score0.00221EPSS
Exploits0References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 7:30 p.m.6 views

WeChat Pay callback signature verification bypassed when Host header is localhost

Summary The verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header,...

8.6CVSS5.9AI score0.00503EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder