34 matches found
EUVD-2026-31440
shell-quote quote does not escape newlines in object .op values...
CVE-2026-44214
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...
EUVD-2026-31968
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...
CVE-2026-44214 eventsource-encoder: SSE event injection via unsanitized event and id fields
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...
SUSE CVE-2026-9277
shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore passed...
Linux Distros Unpatched Vulnerability : CVE-2026-9277
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by...
PT-2026-39241
Name of the Vulnerable Software and Affected Versions eventsource-encoder versions prior to 1.0.2 Description The software fails to sanitize the event and id fields of an EventSourceMessage before serialization in the encodeMessage function. An attacker who controls these fields can inject...
Astra Linux – Vulnerability in Netty
Netty is an asynchronous, event-driven network application framework for developing maintainable, high-performance protocol servers and clients. In versions 4.1.124.Final and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters LF as a chunk-size line...
Astra Linux – Vulnerability in Waitress
Waitress, in version 1.3.1, implemented a “MAY” clause from RFC7230. This clause states: “Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR.” Unfortunately, if a front-end...
Unity Linux 20.1060a / 20.1070a Security Update: grafana (UTSA-2026-007098)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007098 advisory. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is us...
CLEANSTART-2026-SB25660 net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines
Multiple security vulnerabilities affect the falcosidekick-fips package. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. See references for individual vulnerability details...
CLEANSTART-2026-ME47927 net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines
Multiple security vulnerabilities affect the consul-k8s-fips package. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. See references for individual vulnerability details...
CLEANSTART-2026-PA85871 net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines
Multiple security vulnerabilities affect the consul-k8s-fips package. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. See references for individual vulnerability details...
CLEANSTART-2026-PG91940 net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines
Multiple security vulnerabilities affect the harbor-registry package. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. See references for individual vulnerability details...
CLEANSTART-2026-OJ41940 net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines
Multiple security vulnerabilities affect the ingress-nginx-controller package. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. See references for individual vulnerability details...
CLEANSTART-2026-CR41732 net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines
Multiple security vulnerabilities affect the ingress-nginx-controller package. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. See references for individual vulnerability details...
rack: Rack memory exhaustion denial of service
A denial of service flaw has been found in the rubygems rack package. Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line CRLFCRLF. The parser keeps appending incoming bytes to memory without a size cap, allowing...
EUVD-2025-11855
Malicious code in bioql PyPI...
Security Bulletin: IBM Observability with Instana (OnPrem) has addressed multiple vulnerabilities
Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 1.0.303 Vulnerability Details CVEID:CVE-2025-0395 DESCRIPTION: When the assert function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure...
CVE-2025-58056
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters LF as a chunk-size line...