perl-HTTP-Tiny-0.094-1.1 on GA media (moderate)

perl-HTTP-Tiny-0.094-1.1 on GA media Announcement ID: openSUSE-SU-2026:10805-1 Rating: moderate Cross-References: CVE-2026-7010 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...

Security update for go1.26 (important)

openSUSE security update: security update for go1.26 ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20762-1 Rating: important References: bsc1170826 bsc1255111 bsc1264499 bsc1264500 bsc1264501 bsc1264502 bsc1264503 bsc1264504 bsc1264505 bsc1264506...

CVE-2026-47090

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can...

CLSA-2026-1779129626 httpd: Fix of CVE-2026-28780

CVE-2026-28780: modproxyajp: heap-based buffer overflow in ajpmsgcheckheader — message size check did not subtract AJPHEADERLEN, letting a crafted AJP reply write 4 bytes past the end of the heap buffer...

Failing Open

Overview n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol MCP Affected versions of this package are vulnerable to Failing Open when handing multi-tenant HTTP requests ENABLEMULTITENANT=true containing one or neither of the x-n8n-url and x-n8n-key headers. An...

GHSA-JXX9-PX88-PJ69 n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete

Summary When ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level N8NAPIURL / N8NAPIKEY credentials...

n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete

Summary When ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level N8NAPIURL / N8NAPIKEY credentials...

GHSA-FVH2-GM75-J4J7 dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport

Summary dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host...

dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport

Summary dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host...

ai.evolv:ascend-sdk (=0.5.0), app.peac:core (=0.0.1) +2567 more potentially affected by CVE-2026-45300 via org.asynchttpclient:async-http-client (>=2.0.0-RC1 <=2.14.5)

org.asynchttpclient:async-http-client MAVEN version =2.0.0-RC1, =0.7.0, =0.7.0, =0.1.0, =0.2.0, =0.7.0, =0.7.0, =0.1.0, =0.2.0, =0.1.0, =0.2.0, =2.2, =2.0, =2.0-RC2 and more Source cves: CVE-2026-45300 Source advisory: SNYK:JAVA-ORGASYNCHTTPCLIENT-16755239...

com.akamai.edgegrid:edgegrid-signer-async-http-client (>=6.0.1 <=6.0.1-rc.1), com.cloudbees.thirdparty:zendesk-java-client (>=1.1.0 <=1.3.1) +50 more potentially affected by CVE-2026-45300 via org.asynchttpclient:async-http-client (>=3.0.0.Beta1 <=3.0.1)

org.asynchttpclient:async-http-client MAVEN version =3.0.0.Beta1, =6.0.1, =1.1.0, =0.4.8, =0.4.8, =0.4.8, =218.0.0, =14.5.0, =15.4.0 - com.navercorp.pinpoint:pinpoint-agentstatistics-collector =3.1.0 - com.navercorp.pinpoint:pinpoint-batch =3.1.0 - com.navercorp.pinpoint:pinpoint-collector-starte...

com.akamai.edgegrid:edgegrid-signer-async-http-client (>=6.0.1 <=6.0.1-rc.1), com.cloudbees.thirdparty:zendesk-java-client (>=1.1.0 <=1.3.1) +50 more potentially affected by CVE-2026-45300 via org.asynchttpclient:async-http-client (>=3.0.0.Beta1 <=3.0.1)

org.asynchttpclient:async-http-client MAVEN version =3.0.0.Beta1, =6.0.1, =1.1.0, =0.4.8, =0.4.8, =0.4.8, =218.0.0, =14.5.0, =15.4.0 - com.navercorp.pinpoint:pinpoint-agentstatistics-collector =3.1.0 - com.navercorp.pinpoint:pinpoint-batch =3.1.0 - com.navercorp.pinpoint:pinpoint-collector-starte...

async-http-client: Cookie header not stripped on cross-origin redirect

Summary async-http-client leaks Cookie headers to cross-origin redirect targets. When following a redirect across a security boundary different origin, or HTTPS→HTTP downgrade, the propagatedHeaders method in Redirect30xInterceptor.java strips Authorization and Proxy-Authorization headers but doe...

CLSA-2026-1779119053 Fix of 8 CVEs

SECURITY UPDATE: modproxyajp heap buffer over-read in ajpmsggetstring - debian/patches/CVE-2026-34032.patch: add buffer checks in modules/proxy/ajpmsg.c. - CVE-2026-34032 SECURITY UPDATE: AJP getter functions off-by-one out-of-bounds reads - debian/patches/CVE-2026-33857.patch: fix length checks ...

CLSA-2026-1779118679 Fix of 8 CVEs

SECURITY UPDATE: modproxyajp heap buffer over-read in ajpmsggetstring - debian/patches/CVE-2026-34032.patch: add buffer checks in modules/proxy/ajpmsg.c. - CVE-2026-34032 SECURITY UPDATE: AJP getter functions off-by-one out-of-bounds reads - debian/patches/CVE-2026-33857.patch: fix length checks ...

Security Bulletin: Multiple Vulnerabilities have been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server

Summary IBM HTTP Server is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM HTTP Server have been published in a security bulletin CVE-2026-28780, CVE-2026-33857, CVE-2026-34032, CVE-2026-34059, CVE-2026-41080 Vulnerability Details Refer to the...

CLEANSTART-2026-OZ77074 Security fixes for ghsa-r4q5-vmmm-2653 applied in versions: 5.1.0-r1

Security vulnerability affects the configurable-http-proxy package. This issue is resolved in later releases. See references for vulnerability details...

Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs

Summary Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those endpoints list, create, get, update, delete, test, listBranches, browseFiles never...

GHSA-F3RG-XQJJ-CJ9W n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters

Summary In affected versions of n8n-mcp, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant...

netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood

A flaw was found in Netty. A remote user can trigger a Denial of Service DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume...