Lucene search
+L

615 matches found

AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.10 views

Astra Linux – Vulnerability in Waitress

Waitress version 1.3.1 allows for the smuggling of requests by sending the Content-Length header twice. Waitress would fold the two Content-Length headers together, and since it cannot convert the now comma-separated values into integers, it internally sets the Content-Length to 0. If two...

7.5CVSS6.2AI score0.02122EPSS
Exploits0References2
OSV
OSV
added 2026/05/16 5:30 p.m.13 views

CLSA-2026-1778836031 libsoup: Fix of CVE-2026-2708

CVE-2026-2708: reject duplicate Content-Length headers with different values to prevent HTTP request smuggling per RFC 9110 section 7.7...

5.3CVSS5.8AI score0.00321EPSS
Exploits1References1
Fedora
Fedora
added 2026/05/15 10:45 p.m.34 views

[SECURITY] Fedora 42 Update: nginx-mod-headers-more-0.39-9.fc42

This module allows adding, setting, or clearing specified input/output header s. This is an enhanced version of the standard headers module because it provides more utilities like resetting or clearing "builtin headers" like Content-Type, Content-Length, and Server...

9.2CVSS6AI score0.61469EPSS
Exploits41
Fedora
Fedora
added 2026/05/15 8:58 p.m.22 views

[SECURITY] Fedora 44 Update: nginx-mod-headers-more-0.39-9.fc44

This module allows adding, setting, or clearing specified input/output header s. This is an enhanced version of the standard headers module because it provides more utilities like resetting or clearing "builtin headers" like Content-Type, Content-Length, and Server...

9.2CVSS6AI score0.61469EPSS
Exploits41
SUSE CVE
SUSE CVE
added 2026/05/15 1:58 a.m.20 views

SUSE CVE-2026-42581

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absen...

7.3CVSS5.8AI score0.00607EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/05/14 12:0 a.m.27 views

Linux Distros Unpatched Vulnerability : CVE-2026-42581

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting...

9.8CVSS6.8AI score0.00607EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/05/10 12:0 a.m.11 views

SUSE SLES15 Security Update : python-Django (SUSE-SU-2026:1740-1)

The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1740-1 advisory. This update for python-Django fixes the following issues - CVE-2026-3902: headers spoofing by exploiting an ambiguous mapping of two header...

9.8CVSS5.9AI score0.00879EPSS
Exploits1References25
SUSE Linux
SUSE Linux
added 2026/05/07 7:0 a.m.12 views

Security update for python-Django

This update for python-Django fixes the following issues CVE-2026-3902: headers spoofing by exploiting an ambiguous mapping of two header variants in ASGIRequest requests bsc1261729. CVE-2026-4277: permissions on inline model instances were not validated on submission of forged POST data in...

6.9CVSS5.8AI score0.00879EPSS
Exploits1References32
Github Security Blog
Github Security Blog
added 2026/05/07 12:18 a.m.25 views

Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

NETTY HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization | Field | Value | |-----------|-------| | Library | io.netty:netty-codec-http | | Component | codec-http — HttpObjectDecoder | | Severity | HIGH | | Affects | HEAD, commit 4f3533ae confirmed | --- Summary HttpObjectDecoder strips a...

9.8CVSS5.8AI score0.00607EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.26 views

PT-2026-38374

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final Description In the HttpObjectDecoder component, the software fails to strip the Content-Length header when an HTTP/1.0 request contains both Transfer-Encoding: chunked...

9.8CVSS5.8AI score0.00607EPSS
Exploits1References412
ATTACKERKB
ATTACKERKB
added 2026/05/06 12:36 p.m.13 views

CVE-2026-40562

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An...

7.5CVSS5.8AI score0.00319EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/06 1:45 a.m.14 views

SUSE CVE-2026-5766

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

5.3CVSS5.8AI score0.00423EPSS
Exploits0References6
EUVD
EUVD
added 2026/05/05 6:33 p.m.19 views

EUVD-2026-27381

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

6.3CVSS5.8AI score0.00423EPSS
Exploits0References4
PyPA
PyPA
added 2026/05/05 4:16 p.m.23 views

PYSEC-2026-54

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to b...

6.3CVSS5.8AI score0.00423EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/05 4:16 p.m.18 views

PYSEC-2026-54

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

6.3CVSS5.8AI score0.00423EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/05 2:49 p.m.11 views

CVE-2026-5766 Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

6.3CVSS5.8AI score0.00423EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 2026/05/05 2:49 p.m.13 views

CVE-2026-5766

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

6.3CVSS5.8AI score0.00423EPSS
Exploits0
CNNVD
CNNVD
added 2026/05/05 12:0 a.m.10 views

Django 安全漏洞

Django is an open-source web framework based on the Python language, developed by the Django Foundation. This framework includes an object-oriented mapper, a view system, and a template system. Versions of Django prior to 6.0.5 and 5.2.14 contained security vulnerabilities. These vulnerabilities...

6.3CVSS5.8AI score0.00423EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/05 12:0 a.m.13 views

Linux Distros Unpatched Vulnerability : CVE-2026-5766

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the...

6.3CVSS7AI score0.00423EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.8 views

CVE-2026-40561

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An...

5.3CVSS5.8AI score0.00378EPSS
Exploits0References1
Rows per page
Query Builder