Lucene search
+L

163 matches found

CNNVD
CNNVD
added 2026/04/10 12:0 a.m.11 views

CPython 安全漏洞

CPython is a Python interpreter implemented in C language by the Python Foundation. CPython has security vulnerabilities, which stem from HTTP client proxy tunnel headers or hosts not rejecting CR/LF bytes...

5.7CVSS7.3AI score0.00562EPSS
Exploits0References5
OSV
OSV
added 2026/04/09 6:17 p.m.4 views

DEBIAN-CVE-2026-39983

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handle...

8.6CVSS5.3AI score0.02185EPSS
Exploits1References1
OSV
OSV
added 2026/04/06 4:10 p.m.3 views

CVE-2026-34975 Plunk has a CRLF Email Header Injection in raw MIME message construction allows authenticated API user to inject arbitrary email headers

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME...

8.5CVSS6.1AI score0.00194EPSS
Exploits2References3
Github Security Blog
Github Security Blog
added 2026/04/02 8:31 p.m.8 views

Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values

Summary Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result,...

6.5CVSS5.8AI score0.00227EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/01 8:9 p.m.28 views

CVE-2026-34514 AIOHTTP: CRLF injection in multipart part content type header construction

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the contenttype parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...

6.9CVSS0.00315EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/03/28 1:44 a.m.8 views

WordPress Pagelayer plugin <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email' vulnerability

Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email' vulnerability discovered by Drew Webber mcdruid in WordPress Plugin PageLayer versions = 2.0.7...

5.3CVSS5.9AI score0.00297EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/27 10:51 p.m.6 views

CVE-2026-33635

iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding...

4.3CVSS6AI score0.00244EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/26 8:30 p.m.2 views

CVE-2026-33635 iCalendar has ICS injection via unsanitized URI property values

iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding...

4.3CVSS6AI score0.00244EPSS
Exploits1References3
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/25 1:4 p.m.5 views

Security Bulletin: IBM DevOps Build addresses multiple vulnerabilities.

Summary IBM DevOps Build 7.1.0.3 addresses multiple vulnerabilities. Vulnerability Details CVEID:CVE-2025-67735 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder...

9.1CVSS6.2AI score0.00756EPSS
Exploits2Affected Software1
CNNVD
CNNVD
added 2026/03/25 12:0 a.m.8 views

Cisco IOS XE Software 注入漏洞

Cisco IOS XE Software is a network operating system developed by the American company Cisco. There is an injection vulnerability in Cisco IOS XE Software, which stems from insufficient user input validation. This vulnerability may lead to CRLF injection attacks...

5.3CVSS7.5AI score0.0029EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/03/25 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2026-28753

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NGINX Plus and NGINX Open Source have a vulnerability in the ngxmailsmtpmodule module due to the improper handling of CRLF sequences in DNS responses. This allo...

6.3CVSS5.7AI score0.00264EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/24 8:51 p.m.2 views

CVE-2026-28753

A flaw was found in NGINX Plus and NGINX Open Source, specifically within the ngxmailsmtpmodule. This vulnerability allows an attacker-controlled DNS Domain Name System server to inject arbitrary headers into SMTP Simple Mail Transfer Protocol upstream requests. This is due to the improper handli...

6.3CVSS5.7AI score0.00264EPSS
Exploits0References4
Snyk
Snyk
added 2026/03/24 7:13 p.m.4 views

CRLF Injection

Overview icalendar is an Implements the iCalendar specification RFC-5545 in Ruby. This allows for the generation and parsing of .ics files, which are used by a variety of calendaring applications. Affected versions of this package are vulnerable to CRLF Injection via the serialization process of...

5.3CVSS6AI score0.00244EPSS
Exploits1References2
FreeBSD
FreeBSD
added 2026/03/20 12:0 a.m.9 views

Python -- HTTP proxy CONNECT tunnel does not sanitize CR/LF

Seth Larson reports: HTTP proxy via "CONNECT" tunneling doesn't sanitize CR/LF CVE-2026-1502...

5.7CVSS5.8AI score0.00562EPSS
Exploits0References1
SUSE Linux
SUSE Linux
added 2026/03/18 9:15 a.m.10 views

Security update for gvfs

This update for gvfs fixes the following issues: CVE-2026-28295: Fix ftp use control connection address for PASV data bsc1258953. CVE-2026-28296: Fix ftp reject paths containing CR/LF characters bsc1258954. Patch Instructions: To install this SUSE update use the SUSE recommended installation...

7.3CVSS5.7AI score0.0036EPSS
Exploits2References8
EUVD
EUVD
added 2026/03/17 12:30 p.m.4 views

EUVD-2026-12560

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the soupmessagenew function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF Carriage Return Line Feed injection, occurs because the method value is not properly...

3.9CVSS5.9AI score0.00223EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/03/15 12:0 a.m.7 views

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: grafana-pcp (UTSA-2026-006194)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006194 advisory. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is us...

9.1CVSS6.7AI score0.00778EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/13 8:41 p.m.10 views

Undici has CRLF Injection in undici via `upgrade` option

Impact When an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: 1. Inject arbitrary HTTP headers 2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...

4.6CVSS5.9AI score0.00256EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/12 8:17 p.m.5 views

CVE-2026-1527 undici is vulnerable to CRLF Injection via upgrade option

ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...

4.6CVSS7.2AI score0.00256EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/03/12 12:0 a.m.7 views

mod_cluster 注入漏洞

modcluster is a httpd-based load balancer within the modcluster project. Modcluster has an injection vulnerability, which stems from a CRLF injection in the decodeenc function. This vulnerability may lead to bypassing input validation...

4.3CVSS5.8AI score0.00332EPSS
Exploits0References2
Rows per page
Query Builder