GHSA-375F-4R2H-F99J Bandit trusts client-supplied URI scheme on plaintext connections

Summary Bandit reflects the client-supplied URI scheme into conn.scheme without verifying the actual transport. Over a plaintext HTTP/1.1 connection or h2c, an unauthenticated attacker can send an absolute-form request target like GET https://victim/path HTTP/1.1 and the application observes...

CVE-2026-42404

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP...

DEBIAN-CVE-2026-40490

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled followRedirecttrue, versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers...

Server-side Request Forgery (SSRF)

Overview ragas is an Evaluation framework for RAG and LLM applications Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper validation of URLs in the retrievedcontexts parameter when processing multimodal inputs. An attacker can access arbitrary files,...

MiracleLinux 9 : squid-5.5-6.el9_3.2 (AXSA:2023-7053:06)

The remote MiracleLinux 9 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2023-7053:06 advisory. squid: DoS against HTTP and HTTPS CVE-2023-5824 Tenable has extracted the preceding description block directly from the MiracleLinux security advisory. Note...

CVE-2025-14524

When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host...

EUVD-2012-3662

Malware in sbrugna...

EUVD-2013-0009

Malware in sbrugna...

EUVD-2017-11594

Malware in sbrugna...

EUVD-2004-0870

Malware in sbrugna...

EUVD-2019-0258

Malware in sbrugna...

EUVD-2018-16183

Malware in sbrugna...

EUVD-2022-3279

Malicious code in bioql PyPI...

EUVD-2023-47235

Malicious code in bioql PyPI...

EUVD-2023-52819

Malicious code in bioql PyPI...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read due to improper validation in the path comparison process. An attacker can cause a crash or override the contents of a secure cookie by setting a cookie with the secure keyword for an HTTPS site, then redirecting to t...

CVE-2024-51979

An authenticated attacker may trigger a stack based buffer overflow by performing a malformed request to either the HTTP service TCP port 80, the HTTPS service TCP port 443, or the IPP service TCP port 631. The malformed request will contain an empty Origin header value and a malformed Referer...

Medium: curl

Issue Overview: When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform...

CVE-2023-48786

A server-side request forgery vulnerability CWE-918 in Fortinet FortiClientEMS version 7.4.0 through 7.4.2 and before 7.2.6 may allow an authenticated attacker to perform internal requests via crafted HTTP or HTTPS requests...

OESA-2025-1612 cpp-httplib security update

A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include httplib.h file in your code! Security Fixes: cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size...