CVE-2026-41207

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDFexpand returns non-NULL on failure. The byte is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a...

CVE-2026-48480

The CVE concerns the netty incubator codec.bhttp (codec-ohttp) where, prior to 0.0.22.Final, the implementation of draft-ietf-ohai-chunked-ohttp fails to verify that a cryptographically-signed final chunk was received before the outer HTTP body ends. This allows an on-path adversary (OHTTP relay ...

CVE-2026-48480 netty-incubator-codec-ohttp OHttpVersionChunkDraft's Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversar...

CVE-2026-48480 netty-incubator-codec-ohttp OHttpVersionChunkDraft's Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversar...

CVE-2026-48480

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversar...

CVE-2026-48040

The CVE-2026-48040 entry concerns netty-incubator-codec.bhttp prior to 0.0.22.Final, where a fallback path for direct ByteBufs is taken when Unsafe is unavailable. Under these conditions, an unauthenticated network attacker can trigger cryptographic operations via crafted OHTTP requests, causing ...

CVE-2026-48040 netty-incubator-codec-ohttp's Incorrect Native Pointer Derivation in Pooled Direct ByteBuf Fallback Leads to Out-of-Bounds Native Memory Access

The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP RFC 9458 using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations versions prior to 0.0.22.Final provide a fallback path for direct...

EUVD-2026-34307

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDFexpand returns non-NULL on failure. The byte is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a...

CVE-2026-41207

The CVE concerns the netty-incubator-codec-ohttp project. Before version 0.0.21.Final, HKDF_expand could return a non-NULL failure result and fill the output byte[] with zeros, making HKDF key material indistinguishable from a legitimate output. This zeroed material feeds directly into OHttpCrypt...

cc.chensoul.nacos:nacos-distribution (=2.5.2), cn.sparrowmini:sparrow-org-service (=0.0.1) +625 more potentially affected by CVE-2026-22746 via org.springframework.security:spring-security-core (>=5.8.0 <=5.8.2)

org.springframework.security:spring-security-core MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =5.12.0, =5.12.0, =1.48.0, =1.48.0, =1.48.0, =2.4.0, =2.4.0, =2.4.0, =2.6.0 and more Source cves: CVE-2026-22746 Source advisory: OSV:GHSA-VXF7-QJ7Q-83FH...

cc.chensoul.nacos:nacos-distribution (=2.5.2), com.buession.security:buession-security-spring (>=3.0.0 <=3.0.1) +521 more potentially affected by CVE-2026-22732 via org.springframework.security:spring-security-web (>=5.8.0 <=5.8.16)

org.springframework.security:spring-security-web MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =5.12.0, =5.12.0, =1.48.0, =1.48.0, =1.48.0, =2.4.0, =2.4.0, =2.4.0, =4.5.0, =4.5.0, =4.5.1 and more Source cves: CVE-2026-22732 Source advisory: OSV:GHSA-MF92-479X-3373...

backtest-reg (>=0.1.0 <=0.5.0), datacompy (>=0.10.0 <=0.14.4) +7 more potentially affected by CVE-2025-62703 via fugue (>=0.5.0.dev1 <=0.9.1)

fugue PYPI version =0.5.0.dev1, =0.1.0, =0.10.0, =0.1.7, =0.0.4, =0.5.0, =0.1.1, =0.1.2.dev3 Source cves: CVE-2025-62703 Source advisory: OSV:GHSA-XV5P-FJW5-VRJ6...

EUVD-2019-0019

Malware in sbrugna...

EUVD-2025-12353

Malicious code in bioql PyPI...

CVE-2019-12414

In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab...

CVE-2025-3841

CVE-2025-3841 affects wix-incubator jam (jam.py; Jinja2 Template Handler). The vulnerability arises from improper neutralization of special elements in the Jinja2 template engine when processing config['template'], enabling an attack on the local host. Exploitation details are not fully enumerate...

jam 安全漏洞

jam is an open source application from Wix Incubator. A security vulnerability exists in jam, which stems from improper neutralization of special elements of the Jinja2 template engine...

PT-2025-17461 · Jinja2 +1 · Jinja2 +2

Name of the Vulnerable Software and Affected Versions: wix-incubator jam up to e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9 Description: A vulnerability was found in wix-incubator jam, affecting an unknown part of the file jam.py of the component Jinja2 Template Handler. The manipulation of the...

Hash Collision Attack

io.netty.incubator, netty-incubator-codec-quic is vulnerable to Hash Collision Attack. The vulnerability is due to a hash collision in the hash map used to manage connections, which allows remote attackers to perform a Hash DoS attack by initiating connections with colliding Source Connection IDs...

ch.mobi.mobitor.plugins:mobitor-plugin-bitbucket (>=3.1.305 <=3.1.313), ch.mobi.mobitor.plugins:mobitor-plugin-dwh (>=3.1.305 <=3.1.313) +81 more potentially affected by CVE-2025-29908 via io.netty.incubator:netty-incubator-codec-quic (>=0.0.14.Final <=0.0.20.Final)

io.netty.incubator:netty-incubator-codec-quic MAVEN version =0.0.14.Final, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.305, =3.1.313 and more Source cves: CVE-2025-29908 Source advisory:...