CVE-2026-6868

HTTP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service...

CVE-2026-6868

HTTP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service...

Prototype Pollution

Axios is vulnerable to Prototype Pollution. The vulnerability is due to a gadget in the HTTP adapter lib/adapters/http.js that relies on duck-typed checks for FormData, allowing attacker-controlled properties on Object.prototype e.g., getHeaders to be invoked and inject arbitrary HTTP headers int...

CLEANSTART-2026-GN46454 When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written

Multiple security vulnerabilities affect the apache-nifi package. When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. See references for individual vulnerability details...

Amazon Linux 2 : tomcat, --advisory ALAS2TOMCAT9-2026-025 (ALASTOMCAT9-2026-025)

The version of tomcat installed on the remote host is prior to 9.0.117-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2026-025 advisory. Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Apache Tomcat via...

Apache ActiveMQ < 5.19.6 / 6.x < 6.2.5 Multiple Vulnerabilities

The version of Apache ActiveMQ running on the remote host is prior to 5.19.6 or 6.x prior to 6.2.5. It is, therefore, affected by multiple vulnerabilities: - An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via...

CVE-2026-36958

CVE-2026-36958 affects the U-SPEED N300 router (firmware V1.0.0). The embedded Boa HTTP server is vulnerable to a denial-of-service when a large number of concurrent HTTP requests target random/non-existent web-management endpoints, exhausting resources and rendering the web interface unresponsiv...

PT-2026-36253

Route Services can be leveraged to send app traffic to network destinations outside of an app's configured egress rules. As a result, a malicious developer with access to Cloudfoundry could configure a route-service that would allow it to send requests to HTTP services on internal networks...

Medium: tomcat

Issue Overview: Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0...

CVE-2026-6868

HTTP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service...

EUVD-2026-26378

Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa web server URI handler. By initiating a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical system resources, including file descriptors and memory...

Medium: ecs-service-connect-agent

Issue Overview: Envoy is a cloud-native high-performance edge/middle/service proxy. A security vulnerability in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's defaul...

Linux Distros Unpatched Vulnerability : CVE-2026-6868

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - HTTP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVE-2026-6868 Note that Nessus relies on the presence of...

Amazon Linux 2023 : python3.14, python3.14-devel, python3.14-freethreading (ALAS2023-2026-1617)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1617 advisory. When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, a...

Amazon Linux 2 : rclone, --advisory ALAS2-2026-3264 (ALAS-2026-3264)

"The version of rclone installed on the remote host is prior to 1.55.1-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3264 advisory. gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper...

MAL-2026-3193 Malicious code in rblx-http (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b0078ee9b9f6221ab242c9f2442f86670e320a5058c306590b5e5b458066e414 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

@ainsleydev/payload-helper (>=0.0.1 <=0.0.2), @bsct/payload (=1.0.0) +92 more potentially affected by CVE-2026-42353 via i18next-http-middleware (>=1.0.4 <=3.9.2)

i18next-http-middleware NPM version =1.0.4, =0.0.1, =1.0.1, =0.0.1, =0.0.1, =0.0.1, =8.0.0, =3.0.0, =1.0.0, =1.0.6, =1.0.0, =0.0.1, =0.0.229 and more Source cves: CVE-2026-42353 Source advisory: OSV:GHSA-JFGF-83C5-2C4M...

CVE-2026-32688

Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plugcowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.toatom/1 on the value returned by :cowboyreq.scheme/1. For HTTP/2...

xsslab

Dalfox XSS Lab Stored XSS / second-order XSS laboratory for i...

OpenTelemetry.Resources.Azure has an unbounded HTTP response body read

Summary OpenTelemetry.Resources.Azure reads unbounded HTTP response bodies from the Azure VM remote instance metadata service endpoint into memory. This would allow an attacker-controlled endpoint or one acting as a Man-in-the-Middle MitM to cause excessive memory allocation and possible process...