CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

102690 matches found

OSV•added 2026/05/07 12:46 a.m.•3 views

GHSA-F6HV-JMP6-3VWV Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS

Summary HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br Brotli, zstd, or...

7.5CVSS5.9AI score0.00018EPSS

Exploits1References3

Github Security Blog•added 2026/05/07 12:46 a.m.•10 views

Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS

7.5CVSS5.9AI score0.00018EPSS

Exploits1References3Affected Software2

vulnersOsv•added 2026/05/07 12:46 a.m.•3 views

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2845 more potentially affected by CVE-2026-42587 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.12.Final)

io.netty:netty-codec-http MAVEN version =4.2.0.Alpha1, =0.1.0, =0.1.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-42587 Source advisory: OSV:GHSA-F6HV-JMP6-3VWV...

7.5CVSS6.8AI score0.00018EPSS

Exploits1

Snyk•added 2026/05/07 12:46 a.m.•11 views

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the HttpContentDecompressor and DelegatingDecompressorFrameListener components when the Content-Encoding header is set to br, zstd, or snappy. An attacker can exhaust...

8.7CVSS5.8AI score0.00018EPSS

Exploits1References2

vulnersOsv•added 2026/05/07 12:46 a.m.•3 views

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +23724 more potentially affected by CVE-2026-42587 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

io.netty:netty-codec-http MAVEN version =4.0.0.Alpha1, =0.1.0-alpha.2, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.1.0-alpha.2, =0.1.0, =0.1.0, =0.2.0, =0.2.0, =0.28.0 and more Source cves:...

7.5CVSS6.8AI score0.00018EPSS

Exploits1

vulnersOsv•added 2026/05/07 12:22 a.m.•7 views

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +23724 more potentially affected by CVE-2026-42585 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

7.5CVSS6.8AI score0.00012EPSS

Exploits1

OSV•added 2026/05/07 12:22 a.m.•1 views

GHSA-38F8-5428-X5CV Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding

Summary Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. Details Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: chunked, identity" is present. According to RFC...

6.5CVSS6AI score0.00012EPSS

Exploits1References4

vulnersOsv•added 2026/05/07 12:22 a.m.•4 views

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2845 more potentially affected by CVE-2026-42585 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.12.Final)

7.5CVSS6.8AI score0.00012EPSS

Exploits1

vulnersOsv•added 2026/05/07 12:22 a.m.•3 views

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +23724 more potentially affected by CVE-2026-42585 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

7.5CVSS6.8AI score0.00012EPSS

Exploits1

Github Security Blog•added 2026/05/07 12:22 a.m.•11 views

Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding

7.5CVSS6AI score0.00012EPSS

Exploits1References4Affected Software1

Github Security Blog•added 2026/05/07 12:21 a.m.•8 views

Netty has HttpClientCodec response desynchronization

Summary If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another's. Details HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD a...

9.1CVSS5.8AI score0.00016EPSS

Exploits1References3Affected Software1

vulnersOsv•added 2026/05/07 12:21 a.m.•5 views

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +23724 more potentially affected by CVE-2026-42584 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

9.1CVSS6.8AI score0.00016EPSS

Exploits1

vulnersOsv•added 2026/05/07 12:21 a.m.•2 views

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2845 more potentially affected by CVE-2026-42584 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.12.Final)

9.1CVSS6.8AI score0.00016EPSS

Exploits1

vulnersOsv•added 2026/05/07 12:21 a.m.•5 views

9.1CVSS6.8AI score0.00016EPSS

Exploits1

Github Security Blog•added 2026/05/07 12:19 a.m.•9 views

Netty HTTP/3 QPACK literal unbounded allocation

Summary When Netty decodes HTTP/3 headers, it sometimes runs new bytelength using a length from the wire before checking that many bytes are really there. A small malicious header can claim a huge length on the order of a gigabyte. Details When decoding header blocks, the non-Huffman branch of...

7.5CVSS5.9AI score0.00017EPSS

Exploits1References3Affected Software1

OSV•added 2026/05/07 12:19 a.m.•1 views

GHSA-2C5C-CHWR-9HQW Netty HTTP/3 QPACK literal unbounded allocation

7.5CVSS5.9AI score0.00017EPSS

Exploits1References3

vulnersOsv•added 2026/05/07 12:18 a.m.•4 views

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +23724 more potentially affected by CVE-2026-42581 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

9.8CVSS6.8AI score0.00017EPSS

Exploits1

Snyk•added 2026/05/07 12:18 a.m.•12 views

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling in the HttpObjectDecoder component. An attacker can manipulate...

9.8CVSS5.8AI score0.00017EPSS

Exploits1References2

vulnersOsv•added 2026/05/07 12:18 a.m.•4 views

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +23724 more potentially affected by CVE-2026-42581 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.132.Final)

9.8CVSS6.8AI score0.00017EPSS

Exploits1

vulnersOsv•added 2026/05/07 12:18 a.m.•7 views

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2845 more potentially affected by CVE-2026-42581 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.12.Final)

9.8CVSS6.8AI score0.00017EPSS

Exploits1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by