CVE-2026-42584 Netty: HttpClientCodec response desynchronization

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103,...

CVE-2026-44431

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connectionfromurl.urlopen..., assertsamehost=False still forward these sensitive headers. This vulnerability is fixed in 2.7.0...

CVE-2026-44432

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion 1 during the second HTTPResponse.readamt=N call when the response was decompressed using the official Brotli library or 2 when...

CVE-2026-45300

creationtimestamp| type| source ---|---|--- 2026-05-12 21:02:02+00:00| published-proof-of-concept| https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm 2026-06-05 21:15:07+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnl2nqfonh2z...

CVE-2026-44219 ciguard: SCA HTTP client reads response body without size cap

ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py call payload = json.loadsresp.read.decode'utf-8' without a maximum-bytes cap. A hostile or compromised endoflife.date /...

CVE-2026-8368 LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are se...

BIT-LIBPYTHON-2025-13836 Excessive read buffering DoS in http.client

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS...

GHSA-FP53-QCF8-2XX2 Bunsink has an SSRF bypass in `validate_webhook_url`

Summary Bugsink’s webhook URL validation in versions 2.1.2 and earlier could be partially bypassed because of a mismatch in URL parsing. In some malformed URLs, Python’s standard URL parser urllib and the HTTP client stack requests / urllib3 do not agree on which host is actually being targeted...

Bunsink has an SSRF bypass in `validate_webhook_url`

Summary Bugsink’s webhook URL validation in versions 2.1.2 and earlier could be partially bypassed because of a mismatch in URL parsing. In some malformed URLs, Python’s standard URL parser urllib and the HTTP client stack requests / urllib3 do not agree on which host is actually being targeted...

Netty has HttpClientCodec response desynchronization

Summary If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another's. Details HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD a...

GHSA-XW8C-RRVX-F7XQ ciguard: SCA HTTP client reads response body without size cap

Summary Both SCA HTTP clients src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py call payload = json.loadsresp.read.decode'utf-8' without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev or a successful TLS MITM could return a multi-GB response,...

CVE-2026-33975

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

CVE-2026-40542

A flaw was found in Apache HttpClient. This vulnerability allows a remote attacker to bypass a critical step in the SCRAM-SHA-256 authentication process. By exploiting this, an attacker can trick the client into accepting authentication without proper mutual verification, potentially compromising...

Astra Linux - уязвимость в golang-1.19

The net/http HTTP/1.1 client mishandled the situation where a server responds to a request with an “Expect: 100-continue” header with a non-informational 200 or higher status. This mishandling could leave a client connection in an invalid state, causing the next request sent on that connection to...

UBUNTU-CVE-2026-42042

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy...

UBUNTU-CVE-2026-42035

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

CVE-2026-42033

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can a silently intercept and modify every JSON response before the...

UBUNTU-CVE-2026-42044

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible...

UBUNTU-CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...