Lucene search
K

1089 matches found

RedHat Linux
RedHat Linux
added 2026/07/06 4:52 a.m.5 views

undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

A flaw was found in undici. An attacker-controlled upstream server can exploit a vulnerability in Undici's HTTP/1.1 client, specifically related to response queue poisoning on reused keep-alive sockets. This allows the attacker to inject an unsolicited HTTP/1.1 response onto an idle socket...

3.7CVSS7AI score0.00228EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/07/03 11:3 a.m.10 views

CVE-2026-38969

A flaw was found in WEBrick, a Ruby web server toolkit. This vulnerability allows a remote attacker to perform request smuggling by manipulating the Content-Length header in HTTP/1.1 requests. WEBrick incorrectly re-parses the trailer Content-Length, leading to a desynchronization between the pro...

7.5CVSS5.9AI score0.00352EPSS
Exploits0References6
NVD
NVD
added 2026/07/01 5:16 p.m.10 views

CVE-2026-54399

Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core 5.4.2 and earlier, 5.5-beta1 and earlier allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive...

7.5CVSS0.00587EPSS
Exploits0References2
CVE
CVE
added 2026/06/29 8:3 p.m.24 views

CVE-2026-13763

This CVE affects AWS Application Load Balancer (ALB) with AWS WAF enabled, where inconsistent interpretation of HTTP/2 requests can allow bypass of WAF body inspection when the request body is fragmented across frames, leading to partial inspection. Affected component: HTTP/2 ALB target groups; r...

9.8CVSS5.8AI score0.00473EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/26 1:14 a.m.41 views

CVE-2026-48619

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

5.3CVSS0.00656EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 6:1 p.m.5 views

CVE-2026-56766

Hydra through 9.7, fixed in commit 9cc84c2, contains a stack buffer overflow in NTLM authentication across SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, and HTTP-Proxy-Urlenum modules when processing malicious NTLM Type-2 challenges. A malicious server can send a crafted NTLM Type-2 challenge with an...

8.8CVSS6.8AI score0.01325EPSS
Exploits2References3
RedHat Linux
RedHat Linux
added 2026/06/22 2:45 a.m.8 views

google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

9.1CVSS7.3AI score0.01557EPSS
Exploits1References5
SUSE CVE
SUSE CVE
added 2026/06/20 2:29 a.m.11 views

SUSE CVE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS6AI score0.00445EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/06/19 12:0 a.m.15 views

nginx 1.31.x < 1.31.2 Use-After-Free Vulnerability

The installed version of nginx is 1.31.x prior to 1.31.2. It is, therefore, affected by the following vulnerability: - NGINX Open Source has a vulnerability in the ngxhttpv3module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along...

9.2CVSS6.3AI score0.03225EPSS
Exploits3References3
Debian CVE
Debian CVE
added 2026/06/18 6:1 p.m.10 views

CVE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS5.3AI score0.00445EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.26 views

PT-2026-49958

Name of the Vulnerable Software and Affected Versions MySQL Shell Shell for VS Code version 2026.2.0+9.6.1 Description An issue in the Shell for VS Code component of MySQL Shell allows a low-privileged attacker with network access via HTTP to compromise the software. Successful exploitation can...

9.9CVSS5.8AI score0.00521EPSS
Exploits0References4
OSV
OSV
added 2026/06/15 8:46 p.m.10 views

GHSA-HVCG-QMG6-JM4C Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted

Summary Before reading the first request-line, HttpObjectDecoder skips every byte for which Character.isISOControlb is true 0x00–0x1F and 0x7F as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance...

5.3CVSS5.4AI score0.00232EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/13 2:34 a.m.14 views

CVE-2026-48748

A flaw was found in Netty. A remote attacker can exploit a memory exhaustion vulnerability in the Netty HTTP/3 codec by creating an infinite number of blocked streams. This can lead to an Out Of Memory OOM error, resulting in a Denial of Service DoS for the affected system. Mitigation Mitigation...

7.5CVSS5AI score0.00366EPSS
Exploits0References5
NVD
NVD
added 2026/06/12 3:16 p.m.14 views

CVE-2026-47244

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAXVALUE, and Http2Settings never inserts...

5.3CVSS0.00292EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/06/10 4:54 p.m.19 views

httpd: httpd: HTTP/2 Remote Denial of Service via compression bomb and Slowloris-style attack

A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are th...

7.5CVSS7.1AI score0.11471EPSS
Exploits8References6
Snyk
Snyk
added 2026/06/04 6:19 p.m.8 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the fallback process for deriving native memory addresses when hasMemoryAddress returns false and sun.misc.Unsafe is unavailable. An attacker can corrupt memory of concurrent connections and disclose contents of...

9.1CVSS5.3AI score0.00174EPSS
Exploits0References2
OSV
OSV
added 2026/06/03 8:59 p.m.9 views

GHSA-VVGJ-X9JQ-8CJ9 quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an http.Header for t...

5.3CVSS5.8AI score0.00279EPSS
Exploits0References7
CVE
CVE
added 2026/06/02 2:15 p.m.23 views

CVE-2026-49754

The CVE-2026-49754 entry describes a memory exhaustion vulnerability in elixir-mint Mint’s HTTP/2 receive path. When a HEADERS frame arrives without END_HEADERS, the unparsed header-block is queued and each subsequent CONTINUATION frame on that stream appends to the accumulator with no cap. There...

8.2CVSS5.9AI score0.00384EPSS
Exploits0References4
SUSE Linux
SUSE Linux
added 2026/06/01 10:3 a.m.29 views

Security update for wireshark

This update for wireshark fixes the following issues CVE-2026-5401: AFP dissector crash bsc1263756. CVE-2026-5403: SBC audio codec crash bsc1263765. CVE-2026-5404: K12 RF5 file parser crash bsc1263766. CVE-2026-5405: RDP dissector crash bsc1263767. CVE-2026-5406: FC-SWILS dissector crash...

8.8CVSS6.7AI score0.00206EPSS
Exploits29References116
SUSE Linux
SUSE Linux
added 2026/06/01 7:8 a.m.15 views

Security update for ignition

This update for ignition fixes the following issue CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265751. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or...

7.5CVSS5.8AI score0.00781EPSS
Exploits0References4
Rows per page
Query Builder