Lucene search
K

176 matches found

Nuclei
Nuclei
added yesterday40 views

LibreChat <= 0.7.9 - HTML Injection via Accept-Language Header

danny-avila/librechat 0.7.9 contains a stored XSS caused by improper sanitization of the Accept-Language header, letting logged-in users inject arbitrary HTML into the html lang= tag, exploit requires user to be logged in. id: CVE-2025-8848 info: name: LibreChat marker"...

5.4CVSS6AI score0.00423EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.11 views

CVE-2026-41683

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

8.6CVSS5.3AI score0.00327EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.3 views

Astra Linux – Vulnerability in golang-golang-x-text

An attacker can cause a denial of service by creating an Accept-Language header that requires ParseAcceptLanguage to take significant time to process...

7.5CVSS6.8AI score0.01428EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 9:20 p.m.6 views

CVE-2026-44241 Micronaut Framework: Unbounded formattersCache in TimeConverterRegistrar Allows Memory Exhaustion via Accept-Language Header

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, 3.10.6, and 3.8.14, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap whose key is derived from the...

7.5CVSS6AI score0.0055EPSS
Exploits0References7
CVE
CVE
added 2026/05/12 9:20 p.m.28 views

CVE-2026-44241

Summary of CVE-2026-44241 (Micronaut Framework) Affected: Micronaut Core versions 4.3.0–4.10.21 (fixed in 4.10.22). A cache in TimeConverterRegistrar stores DateTimeFormatter instances in an unbounded ConcurrentHashMap keyed by pattern+Locale derived from the @Format annotation and the HTTP Accep...

7.5CVSS6AI score0.0055EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/12 9:20 p.m.9 views

CVE-2026-44241

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap whose key is derived from the @Format annotation...

7.5CVSS6AI score0.0055EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/05/12 9:20 p.m.44 views

CVE-2026-44241 Micronaut Framework: Unbounded formattersCache in TimeConverterRegistrar Allows Memory Exhaustion via Accept-Language Header

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, 3.10.6, and 3.8.14, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap whose key is derived from the...

7.5CVSS0.0055EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/12 9:17 p.m.74 views

CVE-2026-44242 Micronaut Framework: Unbounded bundleCache in ResourceBundleMessageSource Allows Memory Exhaustion via Accept-Language Header

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a...

3.7CVSS0.00209EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 9:17 p.m.8 views

CVE-2026-44242 Micronaut Framework: Unbounded bundleCache in ResourceBundleMessageSource Allows Memory Exhaustion via Accept-Language Header

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a...

3.7CVSS5.8AI score0.00209EPSS
Exploits0References1
CVE
CVE
added 2026/05/12 9:17 p.m.48 views

CVE-2026-44242

CVE-2026-44242 affects Micronaut Framework when a non-default ResourceBundleMessageSource bean is registered. The bundleCache is a ConcurrentHashMap unbounded by design, allowing an attacker to flood the server with unique Accept-Language headers (while requesting HTML error responses), creating ...

3.7CVSS5.8AI score0.00209EPSS
Exploits0References1
NVD
NVD
added 2026/05/08 4:16 p.m.14 views

CVE-2026-41683

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

8.6CVSS0.00327EPSS
Exploits0References1
CVE
CVE
added 2026/05/08 3:27 p.m.20 views

CVE-2026-41683

CVE-2026-41683 affects i18next-http-middleware prior to 3.9.3. The root cause is that user-controlled language values (lng) were passed, via unsafe escaping, into the Content-Language header, potentially allowing HTTP response splitting or DoS depending on Node.js version. Older i18next (&lt; 19....

8.6CVSS5.7AI score0.00327EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/08 3:27 p.m.33 views

CVE-2026-41683 HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

8.6CVSS0.00327EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/08 3:27 p.m.7 views

CVE-2026-41683

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

8.6CVSS5.7AI score0.00327EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/08 3:27 p.m.7 views

CVE-2026-41683 HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

8.6CVSS5.7AI score0.00327EPSS
Exploits0References1
OSV
OSV
added 2026/05/08 11:42 a.m.12 views

CLSA-2026-1778152899 httpd: Fix of 2 CVEs

CVE-2017-15710: modauthnzldap out-of-bounds write when accept-language header value is shorter than two characters - CVE-2017-15715: regex anchor in / can match before an embedded newline, allowing .htaccess bypass of trailing-extension filters...

8.1CVSS6.7AI score0.86006EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.11 views

i18next-http-middleware 跨站脚本漏洞

i18next-http-middleware is an open-source HTTP internationalization middleware for Node.js and Deno by i18next. Versions of i18next-http-middleware prior to version 3.9.3 had a cross-site scripting vulnerability. This vulnerability stemmed from incorrectly clearing control characters such as...

8.6CVSS5.7AI score0.00327EPSS
Exploits0References1
OSV
OSV
added 2026/05/07 6:26 p.m.10 views

CLSA-2026-1778178379 httpd: Fix of 2 CVEs

CVE-2017-15710: modauthnzldap out-of-bounds write when accept-language header value is shorter than two characters - CVE-2017-15715: regex anchor in / can match before an embedded newline, allowing .htaccess bypass of trailing-extension filters...

8.1CVSS7.3AI score0.86006EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/06 8:0 p.m.11 views

Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header

Summary TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag accepts arbitrary BCP 47 private-use...

7.5CVSS5.9AI score0.0055EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2026/05/06 8:0 p.m.8 views

GHSA-8HJV-92Q9-G4XJ Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header

Summary TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag accepts arbitrary BCP 47 private-use...

7.5CVSS5.9AI score0.0055EPSS
Exploits0References4
Rows per page
Query Builder