CVE-2026-3633

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the soupmessagenew function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF Carriage Return Line Feed injection, occurs because the method value is not properly...

CVE-2025-36227

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijackin...

EUVD-2012-5946

Malware in sbrugna...

EUVD-2025-12838

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2020-1695

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation...

Security Bulletin: Vulnerabilities in Golang Go affect watsonx.data

Summary Golang Go has multiple vulnerabilities that include HTTP injection, remote attacks to conduct query parameter smuggling, remote attackd to bypass security restrictions, and denial of service attacks. These can affect watsonx.data. Vulnerability Details CVEID:CVE-2022-32189 DESCRIPTION:...

CVE-2023-42450

Mastodon (ActivityPub-based) is affected in versions up to 4.2.0-rc2 where crafting specific input can inject arbitrary data into HTTP requests issued by the server. The issue enables confused deputy attacks if ALLOWED_PRIVATE_ADDRESSES permits access to local exploitable services. A patch exists...

CVE-2023-1097

Baicells EG7035-M11 devices with firmware through BCE-ODU-1.0.8 are vulnerable to improper code exploitation via HTTP GET command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods have been tested and validated by a 3rd party...

Security Bulletin: Vulnerability in IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 affecting CICS Transaction Gateway Desktop Edition

Summary There is a vulnerability which is related to HTTP injection in IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 used by CICS Transaction Gateway Desktop Edition. CICS Transaction Gateway Desktop Edition has...

AZL-11357 CVE-2022-39348 affecting package python-twisted for versions less than 22.10.0-2

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and scri...

Jenkins allows HTTP Injection and Response Splitting

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via...

CVE-2020-28031

eramba through c2.8.1 allows HTTP Host header injection with for example resultant wkhtml2pdf PDF printing by authenticated users...

TP-Link TL-WR849N Remote Code Execution

Exploit Title: TP LINK TL-WR849N - Remote Code Execution Date: 2019-11-20 Exploit Author: Elber Tavares Vendor Homepage: https://www.tp-link.com/ Software Link: https://www.tp-link.com/br/support/download/tl-wr849n/Firmware Version: TL-WR849N 0.9.1 4.16 Tested on: linux, windows CVE : CVE-2020-93...

Debian DLA-1663-1 : python3.4 security update

This DLA fixes a a problem parsing x509 certificates, an pickle integer overflow, and some other minor issues : CVE-2016-0772 The smtplib library in CPython does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a...

Code injection

A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" All versions V14, SIMATIC HMI Comfort Outdoor Panels 7" & 15" All versions V14, SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F All versions V14, SIMATIC WinCC Runtime Advanced All versions V14,...

CVE-2018-16979

Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943...

Samsung SmartThings Hub hubCore Port 39500 HTTP Header Injection Vulnerability

Summary An exploitable HTTP header injection vulnerability exists in the remote servers of Samsung SmartThings Hub. The hubCore process listens on port 39500 and relays any unauthenticated message to SmartThings’ remote servers, which insecurely handle JSON messages, leading to partially controll...

Command injection

The remote administration interface in D-Link DIR-815 devices with firmware before 2.03.B02 allows remote attackers to execute arbitrary commands via vectors related to an "HTTP command injection issue."...

Cisco IP Phone 8861 Multiple WPA2 Vulnerabilities

Cisco IP Phone 8861 is prone to key reinstallation attacks against WPA protocol. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only if description...

Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse

Overview Wi-Fi Protected Access WPA, more commonly WPA2 handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point AP or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to...