USN-7918-1 netty vulnerabilities

Jeppe Bonde Weikop discovered that Netty incorrectly parsed HTTP messages. When Netty is used with certain reverse proxies, a remote attacker could possibly use this issue to perform HTTP request smuggling attacks. CVE-2025-58056 Jonas Konrad discovered that Netty did not properly manage memory...

CVE-2025-64153

CVE-2025-64153 is an OS command injection in Fortinet FortiExtender. A authenticated attacker can execute arbitrary commands via a crafted HTTP request due to improper input neutralization in FortiExtender versions 7.0, 7.2, 7.4.0–7.4.7, and 7.6.0–7.6.3. Public reports (Red Hat, CIRCL, CVE lists,...

Security Bulletin: IBM Documentation Offline is vulnerable to `Node.js ReadFileUtf8 and HTTP Parser flaws` due to Node.js (CVE-2025-23165, CVE-2025-23167)

Summary IBM Documentation Offline utilizes Node.js as a third-party component, which contains two vulnerabilities that could potentially affect your product's stability and security. CVE-2025-23165 CVSS: 3.7 is a Denial of Service DoS vulnerability in the ReadFileUtf8 internal binding. Repeated u...

Fortinet FortiSandbox 跨站脚本漏洞

Fortinet FortiSandbox is an APT Advanced Persistent Threat protection appliance from US-based Fortinet. The appliance offers dual sandboxing technology, dynamic threat intelligence system, real-time control panel and reporting. A cross-site scripting vulnerability exists in Fortinet FortiSandbox...

Exploit for CVE-2025-66478

Check for CVE-2025-66478 Checks if your NextJS server is vulne...

SUSE SLED15 / SLES15 Security Update : ruby2.5 (SUSE-SU-2025:4264-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:4264-1 advisory. - CVE-2024-35221: Fixed remote DoS via YAML manifest bsc1225905 - CVE-2024-47220: Fixed HTTP request smuggling...

PT-2025-48787

Name of the Vulnerable Software and Affected Versions Akamai affected versions not specified Description A flaw exists in Akamai that allows for HTTP request smuggling due to an invalid chunked body size. This issue, identified as a discrepancy between the chunk size and chunk data, enabled...

RHEL 8 / 9 : OpenShift Container Platform 4.14.59 (RHSA-2025:21328)

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:21328 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or...

TencentOS Server 4: libsoup (TSSA-2025:0247)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0247 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

CVE-2021-4465 ReQuest Serious Play F3 Media Server <= 7.0.3 Remote DoS

ReQuest Serious Play F3 Media Server versions 7.0.3.4968 Pro, 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 contain a remote denial-of-service vulnerability. The device can be shut down or rebooted by an unauthenticated attacker through a single crafted HTTP GET request, allowing...

CLSA-2025-1763124681 Fix CVE(s): CVE-2025-62168

SECURITY UPDATE: information disclosure vulnerability in error handling - debian/patches/CVE-2025-62168.patch: Fix HttpRequest::pack function to handle sensitive data by including a parameter for masking sensitive information - CVE-2025-62168...

CVE-2025-64709

Typebot is an open-source chatbot builder. In versions prior to 3.13.1, a Server-Side Request Forgery SSRF vulnerability in the Typebot webhook block HTTP Request component functionality allows authenticated users to make arbitrary HTTP requests from the server, including access to AWS Instance...

CVE-2025-20341

The CVE-2025-20341 case involves Cisco Catalyst Center Virtual Appliance. Description and multiple connected sources confirm an Access Control / input-validation flaw that allows an authenticated, remote attacker with at least Observer privileges to escalate to Administrator by sending a crafted ...

PT-2025-46852

Name of the Vulnerable Software and Affected Versions Cisco Catalyst Center Virtual Appliance affected versions not specified Description A flaw exists in Cisco Catalyst Center Virtual Appliance that could allow a remote attacker with valid credentials for a user account with at least the role of...

EulerOS 2.0 SP10 : ruby (EulerOS-SA-2025-2428)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Ruby WEBrick readheader HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on...

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2025-2428)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP10 : ruby (EulerOS-SA-2025-2400)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Ruby WEBrick readheader HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on...

Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 1.0.307 Vulnerability Details CVEID:CVE-2025-57810 DESCRIPTION: jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in C...

AZL-69985 CVE-2025-60876 affecting package busybox 1.35.0-18

BusyBox wget thru 1.3.7 accepted raw CR 0x0D/LF 0x0A and other C0 control bytes in the HTTP request-target path/query, allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw spac...

CVE-2025-60876

BusyBox wget thru 1.3.7 accepted raw CR 0x0D/LF 0x0A and other C0 control bytes in the HTTP request-target path/query, allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw spac...