16511 matches found
Unity Linux 20.1060e / 20.1070e Security Update: haproxy (UTSA-2026-017431)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017431 advisory. An integer overflow exists in HAProxy 2.0 through 2.5 in htxaddheader that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypa...
PT-2026-39150
Name of the Vulnerable Software and Affected Versions fohrloop dash-uploader versions 0.1.0 through 0.7.0a2 Description A directory traversal issue allows a remote attacker to execute arbitrary code. This is possible through the dash uploader/httprequesthandler.py component, specifically within t...
CVE-2026-38360
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dashuploader/httprequesthandler.py, aseHttpRequestHandler.gettemproot, BaseHttpRequestHandler.post components...
CVE-2026-38360
CVE-2026-38360 affects fohrloop dash-uploader, with directory traversal in dash_uploader/httprequesthandler.py affecting versions 0.1.0 through 0.7.0a2. The vulnerability arises from unvalidated user-supplied values used in get_temp_root (upload_id), resumableFilename, and resumableIdentifier, wh...
Fedora 43 : perl-Starman (2026-b94aad33a5)
The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-b94aad33a5 advisory. Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes Content-Length over...
Security update for jetty-minimal
This update for jetty-minimal fixes the following issues: CVE-2026-2332: In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques bsc1262115. CVE-2026-5795: Fixed JaspiAuthenticator broken access control...
MGASA-2026-0120 Updated perl-Starlet packages fix security vulnerability
Starlet versions through 0.31 for Perl allow HTTP Request Smuggling via Improper Header Precedence. CVE-2026-40561...
Updated perl-Starlet packages fix security vulnerability
Starlet versions through 0.31 for Perl allow HTTP Request Smuggling via Improper Header Precedence. CVE-2026-40561...
EUVD-2026-26712
Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate Content-Length header...
GHSA-38F8-5428-X5CV Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding
Summary Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. Details Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: chunked, identity" is present. According to RFC...
HTTP Request Smuggling
Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling in the HttpObjectDecoder component. An attacker can manipulate...
GHSA-M4CV-J2PX-7723 Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing
Summary Netty's chunk size parser silently overflows int, enabling request smuggling attacks. Details io.netty.handler.codec.http.HttpObjectDecodergetChunkSize silently overflows int. The size is accumulated as follows: result = 16; result += digit; The result is checked only for negative values...
HTTP Request Smuggling
Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling via the getChunkSize function. An attacker can inject unauthorized HT...
Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing
Summary Netty's chunk size parser silently overflows int, enabling request smuggling attacks. Details io.netty.handler.codec.http.HttpObjectDecodergetChunkSize silently overflows int. The size is accumulated as follows: result = 16; result += digit; The result is checked only for negative values...
CVE-2026-41417 Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()
Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri. The constructors reject CRLF and whitespace characters that would break the start-line, but setUri does not apply the same validation...
CVE-2026-41417 Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()
Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri. The constructors reject CRLF and whitespace characters that would break the start-line, but setUri does not apply the same validation...
io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values
A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass...
SUSE-SU-2026:1714-1 Security update for erlang
This update for erlang fixes the following issues: - CVE-2026-21620: remote arbitrary read/write via TFTP relative path traversal bsc1258663. - CVE-2026-23941: HTTP Request Smuggling in Erlang OTP bsc1259687. - CVE-2026-23942: path traversal vulnerability in Erlang OTP bsc1259681. - CVE-2026-2394...
PT-2026-37626
Name of the Vulnerable Software and Affected Versions Gazelle versions prior to 0.50 Description Improper header precedence allows HTTP Request Smuggling. The software incorrectly prioritizes the Content-Length header over Transfer-Encoding: chunked when both are present in an HTTP request,...
EUVD-2026-27432
A vulnerability was detected in D-Link DI-8100 16.07.26A1. Affected by this issue is the function tgglasp of the file /tggl.asp of the component HTTP Request Handler. Performing a manipulation of the argument Name results in buffer overflow. The attack can be initiated remotely. The exploit is no...