PT-2026-46048

Name of the Vulnerable Software and Affected Versions Securly Chrome Extension version 3.0.7 Description The extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP using the Fetch API. This represents an inconsistent implementation of Transport...

PT-2026-45987

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager affected versions not specified Cisco Unified Communications Manager Session Management Edition affected versions not specified Description An issue in the WebDialer service of Cisco Unified Communications...

PT-2026-46001

Mercusys AC12G EU V1 with firmware AC12GEU V1 200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers...

Linux Distros Unpatched Vulnerability : CVE-2026-50052

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack...

TencentOS Server 3: httpd:2.4 (TSSA-2026:0425)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0425 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

CVE-2026-36610

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials...

PT-2026-46115

Name of the Vulnerable Software and Affected Versions quic-go affected versions not specified Description An attacker can trigger excessive memory allocation in the HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame. This frame decodes into a large trailer field...

RockyLinux 10 : python3.12 (RLSA-2026:19064)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19064 advisory. expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing CVE-2025-59375...

CVE-2026-41412

CVE-2026-41412 affects alf.io prior to 2.0-M5-2606. The extension sandbox injects a fully-functional HTTP client (simpleHttpClient) into every extension script’s scope, and the postFileAndSaveResponse() method accepts an arbitrary filesystem path using new FileInputStream(file) without path valid...

CVE-2026-41017

Apache Airflow's JWTRefreshMiddleware set the JWT auth cookie without the Secure flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

CVE-2026-10584

Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade to Graph Explorer...

UBUNTU-CVE-2026-34993

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect man...

CVE-2026-48596 CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.addcontenttypeparam/2. Tesla.Multipart.addcontenttypeparam/2 appends caller-supplied strings to the multipart...

CVE-2026-10584 HTTPS Fallback to HTTP in Graph Explorer

Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade to Graph Explorer...

CVE-2026-10584

Graph Explorer before 3.0.1 uses an HTTP fallback when certificate files are missing, exposing potential interception of HTTPS requests. The vulnerability affects the proxy component of Graph Explorer and can lead to disclosure of sensitive information. The recommended remediations are to upgrade...

netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood

A flaw was found in Netty. A remote user can trigger a Denial of Service DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume...

CVE-2026-48861

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling. In lib/mint/http1/request.ex, the encoderequestline/2 function splices the caller-supplied method and target arguments directly into the HTTP/1...

CVE-2026-49753

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.contentlengthheader/1 in...

SUSE-SU-2026:21991-1 Security update for ignition

This update for ignition fixes the following issue - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265751...