CVE-2026-8023 Path traversal in Zephyr HTTP server static-filesystem resource handler allows unauthenticated remote arbitrary file read

Zephyr's HTTP server subsys/net/lib/http provides a static-filesystem resource type HTTPRESOURCETYPESTATICFS, available when CONFIGFILESYSTEM is enabled that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled...

CVE-2026-8023

CVE-2026-8023 concerns Zephyr’s HTTP server static-filesystem resource handler, where HTTP/1 and HTTP/2 front-ends copied the raw request path into a buffer without removing dot segments. This allowed path traversal to escape the configured web root and read arbitrary files after the filesystem r...

CVE-2026-54753

Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: on every response, letting any website a developer visited read the server's responses cross-origin — including...

Apache HTTP server v2.4.0 to v2.4.39 - Open Redirect

In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with modrewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. id: CVE-2019-10098 info: name: Apache HTTP server v2.4.0 to v2.4.39 - Open...

Apache HTTP Server - Remote Code Execution

Apache HTTP Server 2.4.32 to 2.4.44 contains an info disclosure and possible remote code execution caused by a vulnerability in modproxyuwsgi, letting remote attackers access sensitive information and potentially execute arbitrary code, exploit requires sending crafted requests. id: CVE-2020-1198...

Security Bulletin: Due to use of IBM Tivoli Monitoring , IBM Cloud Pak System is affected by multiple vulnerabilities.

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-39573 DESCRIPTION: Apache HTTP Server is vulnerable to server-side request forgery, caused by a flaw in the modrewrite. By sending a specially crafted request, an attacker could exploit...

Apache HTTP Server: mod_proxy_ajp: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow

A flaw was found in modproxyajp of Apache HTTP Server. This heap-based buffer overflow vulnerability allows a remote attacker, by connecting to a malicious AJP Apache JServ Protocol server, to send a specially crafted message. This message can cause modproxyajp to write attacker-controlled data...

Important: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.62 SP4 security update

Red Hat JBoss Core Services Apache HTTP Server 2.4.62 Service Pack 4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Debian dla-4639 : libhttp-daemon-perl - security update

The remote Debian 11 / 12 host has a package installed that is affected by a vulnerability as referenced in the dla-4639 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4639-1 [email protected]...

Amazon Linux 2023 : mod_http2 (ALAS2023-2026-1859)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1859 advisory. Use After Free vulnerability in Apache HTTP Server module modhttp2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67. CVE-2026-48913...

Amazon Linux 2 : httpd, --advisory ALAS2-2026-3379 (ALAS-2026-3379)

The version of httpd installed on the remote host is prior to 2.4.68-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3379 advisory. Use After Free vulnerability in Apache HTTP Server with modldap in per-directory configuration This issue affects Apache HT...

Amazon Linux 2023 : httpd, httpd-core, httpd-devel (ALAS2023-2026-1880)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1880 advisory. Use After Free vulnerability in Apache HTTP Server with modldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrad...

RHEL 7 / 8 : Red Hat JBoss Core Services Apache HTTP Server 2.4.62 SP4 (RHSA-2026:27200)

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:27200 advisory. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTT...

Astra Linux – Vulnerability in the supervisor

In Supervisor version 4.0.2, an unauthenticated user can read log files or restart a service. Note: The maintainer confirmed that the affected component, inethttpserver, is not enabled by default. However, if the user enables it and does not set a password, Supervisor will log a warning message...

Astra Linux – Vulnerability in Apache2

A out-of-bounds read vulnerability exists in the modmacro module of the Apache HTTP Server. This issue affects the Apache HTTP Server version up to 2.4.57...

Astra Linux – Vulnerability in Apache2

A carefully crafted request body can cause a read to a random memory area, which may lead to the process crashing. This issue affects Apache HTTP Server 2.4.52 and earlier...

Astra Linux – Vulnerability in Apache2

Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%varnamex" or "%varnamec" to log variables...

Astra Linux – Vulnerability in Apache2

The out-of-bounds write vulnerability in the modsed module of the Apache HTTP Server allows an attacker to overwrite heap memory with data provided by the attacker. This issue affects Apache HTTP Server version 2.4.2.52 and earlier versions...

Astra Linux – Vulnerability in Apache2

apescapequotes may write beyond the end of a buffer when given malicious input. None of the included modules passes untrusted data to these functions, but third-party/external modules may do so. This issue affects Apache HTTP Server 2.4.48 and earlier...

Astra Linux – Vulnerability in Apache2

In Apache HTTP Server 2.4.59 and earlier, a null pointer dereference vulnerability in modproxy allows an attacker to crash the server through a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue...