23 matches found
JLSEC-2026-616 HTTP/1 client request smuggling via CR/LF in method, target, or host in HTTP.jl
Description The HTTP/1 client serialized request.method and request.target and, in forward-proxy absolute-form, the host verbatim onto the wire with no CR/LF/CTL filtering; the only target validator was wired solely into the server parse path. A caller passing an attacker-influenced URL or method...
GHSA-CQ87-8R7H-962V SwiftNIO: CRLF Injection in outbound HTTP request URI via NIOHTTPRequestHeadersValidator
Programs using swift-nio is vulnerable to HTTP request smuggling and HTTP response splitting attacks, caused by insufficient validation of outbound HTTP/1.1 request and response start line components. This vulnerability affects all swift-nio versions from 2.0.0 to 2.99.0. It is fixed in 2.100.0 a...
PT-2026-48923
Programs using swift-nio is vulnerable to HTTP request smuggling and HTTP response splitting attacks, caused by insufficient validation of outbound HTTP/1.1 request and response start line components. This vulnerability affects all swift-nio versions from 2.0.0 to 2.99.0. It is fixed in 2.100.0 a...
CLSA-2026-1778254552 httpd: Fix of 8 CVEs
CVE-2026-24072: modrewrite/modsetenvif: use APEXPRFLAGRESTRICTED in htaccess to prevent reading server-side files via apexpr from .htaccess - CVE-2026-29169: moddavlock: NULL pointer dereference in davgenericrefreshlocks use dpscan instead of dp - CVE-2026-33006: modauthdigest: timing attack —...
DEBIAN-CVE-2026-41417
Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri. The constructors reject CRLF and whitespace characters that would break the start-line, but setUri does not apply the same validation...
UBUNTU-CVE-2026-41417
Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri. The constructors reject CRLF and whitespace characters that would break the start-line, but setUri does not apply the same validation...
CVE-2026-41417
CVE-2026-41417 — Netty HTTP/RTSP injection flaw : Netty allows CRLF characters in a URI when created via DefaultHttpRequest or DefaultFullHttpRequest and later modified with setUri(), bypassing constructor validation. Consequently, HttpRequestEncoder and RtspEncoder may embed attacker-controlled ...
CVE-2026-41417 Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()
Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri. The constructors reject CRLF and whitespace characters that would break the start-line, but setUri does not apply the same validation...
CVE-2026-41417 Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()
Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri. The constructors reject CRLF and whitespace characters that would break the start-line, but setUri does not apply the same validation...
CVE-2026-41417 Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()
Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri. The constructors reject CRLF and whitespace characters that would break the start-line, but setUri does not apply the same validation...
BIT-LIBPHP-2025-1736 Stream HTTP wrapper header check might omit basic auth header
In PHP from 8.1. before 8.1.32, from 8.2. before 8.2.28, from 8.3. before 8.3.19, from 8.4. before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted...
php: Stream HTTP wrapper header check might omit basic auth header
A flaw was found in PHP. This vulnerability allows certain headers to be either not sent or misinterpreted due to insufficient validation of the end-of-line characters via user-supplied headers...
PHP 安全漏洞
PHP is a scripting language in which PHP is executed server-side. A security vulnerability exists in PHP versions prior to 8.1.32, 8.2.28, 8.3.19, and 8.4.5, which stems from an insufficient validation of end-of-line characters when sending user-supplied headers may result in certain headers not...
UBUNTU-CVE-2025-1736
In PHP from 8.1. before 8.1.32, from 8.2. before 8.2.28, from 8.3. before 8.3.19, from 8.4. before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted...
The vulnerability of the software for managing and controlling access to corporate resources and IBM Security Verify Governance applications lies in the insufficient validation of arguments passed to the command line. This allows attackers to execute arbitrary commands.
The vulnerability of the software for managing and controlling access to corporate resources and applications of IBM Security Verify Governance is related to insufficient validation of arguments passed to the command line. Exploiting this vulnerability allows a malicious actor to execute arbitrar...
The vulnerability of the Microsoft Exchange Server mail server, related to errors in checking command arguments, allows a hacker to execute arbitrary code.
The vulnerability of Microsoft Exchange Server is related to errors during the validation of command-line arguments. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely...
Cisco FXOS Software 安全漏洞
Cisco FXOS Software is a suite of firewall software from Cisco that runs in Cisco security appliances. A security vulnerability exists in Cisco FXOS Software that stems from a failure to validate the parameters of a CLI command, resulting in an arbitrary file write vulnerability. An attacker coul...
chromium-browser: Insufficient validation of untrusted input in command line handling
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page...
Git for Visual Studio Remote Code Execution Vulnerability
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts wit...
Git for Visual Studio Remote Code Execution Vulnerability
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts wit...