2483 matches found
Linux Distros Unpatched Vulnerability : CVE-2025-59465
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of...
Security update for python-tornado6 (important)
openSUSE security update: security update for python-tornado6 ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20015-1 Rating: important References: bsc1254903 bsc1254904 bsc1254905 Cross-References: CVE-2025-67724 CVE-2025-67725 CVE-2025-67726 CVSS...
Node.js 20.x < 20.20.0 / 22.x < 22.22.0 / 24.x < 24.13.0 / 24.x < 24.13.0 / 25.x < 25.3.0 Multiple Vulnerabilities (Tuesday, January 13, 2026 Security Releases).
"The version of Node.js installed on the remote host is prior to 20.20.0, 22.22.0, 24.13.0, 24.13.0, 25.3.0. It is, therefore, affected by multiple vulnerabilities as referenced in the Tuesday, January 13, 2026 Security Releases advisory. - A flaw in Node.js's permission model allows a file's...
SUSE-SU-2026:20071-1 Security update for python-tornado6
This update for python-tornado6 fixes the following issues: - CVE-2025-67724: unescaped reason argument used in HTTP headers and in HTML default error pages can be used by attackers to launch header injection or XSS attacks bsc1254903. - CVE-2025-67725: quadratic complexity of string concatenatio...
OPENSUSE-SU-2026:20015-1 Security update for python-tornado6
This update for python-tornado6 fixes the following issues: - CVE-2025-67724: unescaped reason argument used in HTTP headers and in HTML default error pages can be used by attackers to launch header injection or XSS attacks bsc1254903. - CVE-2025-67725: quadratic complexity of string concatenatio...
CVE-2019-11921
An out of bounds write is possible via a specially crafted packet in certain configurations of Proxygen due to improper handling of Base64 when parsing malformed binary content in Structured HTTP Headers. This issue affects versions of proxygen prior to v2019.07.22.00...
CVE-2020-7671
goliath through 1.0.6 allows request smuggling attacks where goliath is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to b...
Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 / 25.10 : Tornado vulnerabilities (USN-7950-1)
The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7950-1 advisory. It was discovered that Tornado incorrectly handled special characters in HTTP headers. An...
Ubuntu: Security Advisory (USN-7950-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
USN-7950-1 python-tornado vulnerabilities
It was discovered that Tornado incorrectly handled special characters in HTTP headers. An attacker could possibly use this issue to execute a cross- site scripting XSS attack. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10...
SUSE CVE-2026-21428
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the writeheaders function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add...
CVE-2025-13694
The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTPXFORWARDEDFOR to determine the client's IP address without proper validation or considering if the server is...
CVE-2019-7726
modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request e.g., Referer and User-Agent...
Security update for python-tornado6
This update for python-tornado6 fixes the following issues: CVE-2025-67724: unescaped reason argument used in HTTP headers and in HTML default error pages can be used by attackers to launch header injection or XSS attacks bsc1254903. CVE-2025-67725: quadratic complexity of string concatenation...
CVE-2026-21428 cpp-httplib has CRLF injection in http headers
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the writeheaders function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add...
PT-2026-25010
Name of the Vulnerable Software and Affected Versions multipart versions prior to 1.2.2 multipart versions prior to 1.3.1 multipart versions prior to 1.4.0-dev Description The parse options header function within the multipart.py file utilizes a regular expression containing an ambiguous...
SUSE CVE-2025-67725
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation...
CVE-2025-64702
quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header...
CVE-2025-67725
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation...
Inefficient Algorithmic Complexity
Overview tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the HTTPHeaders.add method. An attacker can cause the server's event loop to become...