RockyLinux 9 : nodejs:22 (RLSA-2026:7302)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:7302 advisory. brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547 minimatch: minimatch: Denial of Service via...

RHEL 10 : nodejs22 (RHSA-2026:7310)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7310 advisory. Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an...

Important: nginx:1.26 security update

nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fixes: nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files CVE-2026-32647 NGINX: NGINX: Denial of Service or file...

Important: nodejs:24 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion...

PT-2026-31629

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the Content-Length header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large Content-Length val...

Tenda i12 路径遍历漏洞

The Tenda i12 is a ceiling-mounted wireless access point produced by the Chinese company Tenda. The version Tenda i12 1.0.0.113862 contains a path traversal vulnerability. This vulnerability stems from a path traversal issue in the HTTP Handler component, which may lead to path traversal attacks...

PT-2026-31715

Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run ...

PT-2026-31695

Name of the Vulnerable Software and Affected Versions V2Board versions 1.6.1 through 1.7.4 and Xboard versions through 0.1.9 Description V2Board and Xboard are affected by an issue where authentication tokens are exposed in the HTTP response bodies of the loginWithMailLink endpoint when the login...

API Lab MCP 代码问题漏洞

API Lab MCP is an AI-driven API testing laboratory developed by YoungEun Lee. It supports natural language interaction and automatic documentation generation. Versions of API Lab MCP prior to 0.2.1 contained code vulnerabilities. These vulnerabilities were caused by incorrect parameter handling i...

PT-2026-31566

Name of the Vulnerable Software and Affected Versions atototo api-lab-mcp versions up to 0.2.1 Description A weakness exists in the HTTP Interface component of atototo api-lab-mcp. Manipulation of the source/url argument within the analyze api spec/generate test scenarios/test http endpoint...

RHEL 9 : nodejs:22 (RHSA-2026:7302)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7302 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

RockyLinux 9 : nodejs:24 (RLSA-2026:7350)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:7350 advisory. nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547...

CLSA-2026-1775688811 Fix CVE(s): CVE-2026-32748, CVE-2026-33526

SECURITY UPDATE: denial of service via use-after-free in ICP - debian/patches/CVE-2026-33526.patch: remove duplicate rfc1738escape call in icpGetRequest that invalidated the previously escaped URL pointer - CVE-2026-33526 SECURITY UPDATE: denial of service via use-after-free in ICP request handli...

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value through the UploadTraces, UploadMetrics, and uploadLogs response-handling paths in exporters/otlp/otlptrace/otlptracehttp/client.go, exporters/otlp/otlpmetric/otlpmetrichttp/client.go, and...

EUVD-2025-209363

A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the httplanport parameter in the /webgl.asp endpoint...

EUVD-2025-209345

A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of multiple parameters in the /urlrule.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request with parameters name, en, ips, u, time, act, rpri, and log...

CVE-2026-39882

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...

UBUNTU-CVE-2026-39882

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...

HTTP Request Smuggling

Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to HTTP Request Smuggling in ChunkedInputFilter, when handling HTTP/1.1 requests with invalid chunk extensions. An attacker can interfere with the interpretation of...

CVE-2026-39882 OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...