EUVD-2025-28583

Malicious code in bioql PyPI...

EUVD-2025-25005

Malicious code in bioql PyPI...

PT-2025-40573

Name of the Vulnerable Software and Affected Versions HCL MyXalytics version 6.6 Description A flaw exists in HCL MyXalytics that permits HTML injection. This could potentially allow an attacker to inject malicious HTML code into the application. Recommendations At the moment, there is no...

CVE-2025-61604 WeGIA: Cross-Site Request Forgery (CSRF) Vulnerability in `control.php` Endpoint

WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Cross-Site Request Forgery CSRF vulnerability. The delete operation for the Almoxarifado entity is exposed via HTTP GET without CSRF protection, allowing a third-party site to trigger...

netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions

A flaw in Netty’s HTTP/1.1 chunked encoding parser allows newline LF characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same...

netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability

A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts...

netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability

A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts...

TLoRa: Implementing TLS over LoRa for Secure HTTP Communication in IoT

We present TLoRa, an end-to-end architecture for HTTPS communication over LoRa by integrating TCP tunneling and a complete TLS 1.3 handshake. It enables a seamless and secure communication channel between WiFi-enabled end devices and the Internet over LoRa using an End Hub EH and a Net Relay NR...

PT-2025-40425

Name of the Vulnerable Software and Affected Versions WeGIA versions 3.4.12 and below Description WeGIA, a web manager designed for charitable institutions, is susceptible to a Cross-Site Request Forgery CSRF issue. The deletion function for the Almoxarifado entity is accessible through an HTTP G...

ROS-20251002-03

A vulnerability in Microsoft's .NET software platform is related to the closing of the HTTP/3 stream while writing code for an application, resulting in a race condition in response. Exploitation of the vulnerability could allow an attacker, acting remotely, to gain access to sensitive informatio...

SUSE CVE-2025-11211

Out of bounds read in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Chromium security severity: Medium...

CVE-2025-10859

CVE-2025-10859 affects Mozilla Firefox for iOS (pre-143.1). The issue is an information disclosure caused by cookie storage for non-HTML temporary documents being shared with normal browsing content, allowing data from private/incognito tabs to be exposed even after all tabs are closed. Impact de...

CVE-2025-10342

HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'name' at the endpoint '/subscriptions/create'...

HTTP Request Smuggling

eventlet is vulnerable to HTTP Request Smuggling. The vulnerability is due to improper handling of HTTP trailer sections, which allows an attacker to bypass front-end security controls, launch targeted attacks against active site users, and poison web caches...

CVE-2025-10346

HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'subject' at the endpoint 'knoewledgebase/article'...

CVE-2025-10346 HTML injection in Perfex CRM

HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'subject' at the endpoint 'knoewledgebase/article'...

CVE-2025-10940 Total.js CMS Layout admin layouts_save cross site scripting

A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layoutssave of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack remotely. The exploit h...

HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...

VulnCheck KEV: CVE-2024-33326

A cross-site scripting XSS vulnerability in the component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the lumPageID parameter...

GO-2025-3974 DragonFly's tiny file download uses hard coded HTTP protocol in d7y.io/dragonfly

DragonFly's tiny file download uses hard coded HTTP protocol in d7y.io/dragonfly...