nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination

A flaw was found in nghttp2. Due to missing internal state validation, the library continues to process incoming data even after a session has been terminated. A remote attacker could exploit this by sending a specially crafted HTTP/2 frame, leading to an assertion failure and a denial of service...

Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames

A flaw was found in Node.js. A remote attacker can exploit this vulnerability in Node.js HTTP/2 servers by sending specially crafted WINDOWUPDATE frames on stream 0 connection-level. These frames can cause the flow control window to exceed its maximum value, leading to a memory leak as Http2Sessi...

nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination

A flaw was found in nghttp2. Due to missing internal state validation, the library continues to process incoming data even after a session has been terminated. A remote attacker could exploit this by sending a specially crafted HTTP/2 frame, leading to an assertion failure and a denial of service...

Important: Red Hat Security Advisory: nghttp2 security update

An update for nghttp2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

Important: Red Hat Security Advisory: nghttp2 security update

An update for nghttp2 is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

ALSA-2026:7675 Important: nodejs24 security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Linux Distros Unpatched Vulnerability : CVE-2026-34045

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows...

Important: nghttp2 security update

libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 HTTP/2 protocol in C. Security Fixes: nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination CVE-2026-27135 For more details about the security issues, including the impact, a CVSS...

Linux Distros Unpatched Vulnerability : CVE-2026-40394

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a workspace overflow denial of service daemon panic for certain amounts of prefetche...

Important: nghttp2 security update

libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 HTTP/2 protocol in C. Security Fixes: nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination CVE-2026-27135 For more details about the security issues, including the impact, a CVSS...

Fortinet FortiClient EMS SQL Injection Vulnerability

Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests...

ALSA-2026:7670 Important: nodejs:24 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs denial of service CVE-2026-21637 minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-26996 undici:...

RHEL 9 : nghttp2 (RHSA-2026:7668)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:7668 advisory. libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 HTTP/2 protocol in C. Security Fixes: nghttp2: nghttp2: Denial of...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1577)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1577 advisory. A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs,...

RHEL 10 : nodejs24 (RHSA-2026:7675)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7675 advisory. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an...

FreeBSD : Python -- HTTP proxy CONNECT tunnel does not sanitize CR/LF (30bda1c3-369b-11f1-b51c-6dd25bec137b)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 30bda1c3-369b-11f1-b51c-6dd25bec137b advisory. Seth Larson reports: HTTP proxy via CONNECT tunneling doesn't sanitize CR/LF CVE-2026-1502. Tenable has...

ALSA-2026:7666 Important: nghttp2 security update

libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 HTTP/2 protocol in C. Security Fixes: nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination CVE-2026-27135 For more details about the security issues, including the impact, a CVSS...

Important: python3.9

Issue Overview: When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. CVE-2025-11468 User-controlled...

ALSA-2026:7667 Important: nghttp2 security update

libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 HTTP/2 protocol in C. Security Fixes: nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination CVE-2026-27135 For more details about the security issues, including the impact, a CVSS...

CVE-2026-33555

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be...