Apache HTTP Server - ACL Bypass

Encoding problem in modproxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. id: CVE-2024-38473 info: name: Apache HTTP Server - ACL Bypass author: pdteam severity: high...

Apache Tomcat JK Connect <=1.2.44 - Manager Access

Apache Tomcat JK modjk Connector 1.2.0 to 1.2.44 allows specially constructed requests to expose application functionality through the reverse proxy. It is also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is so...

Php-mod/curl Library <2.3.2 - Cross-Site Scripting

Php-mod/curl library before 2.3.2 contains a cross-site scripting vulnerability via the postfilepathupload.php key parameter and the POST data to postmultidimensional.php. An attacker can inject arbitrary script, which can allow theft of cookie-based authentication credentials and launch of other...

httpd: mod_proxy_ajp: heap-based buffer over-read and memory disclosure in ajp_parse_data()

A flaw was found in the modproxyajp module of httpd. When processing AJP Apache JServ Protocol messages, the ajpparsedata function attempts to read data beyond the allocated buffer size, allowing an attacker or a malformed request to cause a heap-based buffer over-read. This issue potentially lea...

httpd: mod_md: unrestricted OCSP response leads to resource exhaustion

A flaw was found in the modmd module of httpd. When processing OCSP Online Certificate Status Protocol responses from a malicious or compromised OCSP responder, the module fails to enforce proper size limits on the incoming data. This issue leads to memory exhaustion and a denial of service...

httpd: mod_authn_socache: NULL pointer dereference can cause a child process crash

A flaw was found in the modauthnsocache module of httpd. This vulnerability allows an unauthenticated remote user to crash a child process due to a NULL pointer dereference when the server is operating in a caching forward proxy configuration...

httpd: mod_md: unrestricted OCSP response leads to resource exhaustion

A flaw was found in the modmd module of httpd. When processing OCSP Online Certificate Status Protocol responses from a malicious or compromised OCSP responder, the module fails to enforce proper size limits on the incoming data. This issue leads to memory exhaustion and a denial of service...

Astra Linux – Vulnerability in Apache2

If the Apache HTTP Server 2.4.53 is configured to perform transformations using modsed, especially in contexts where the input to modsed can be very large, modsed may cause excessive memory allocation and trigger an abort...

Astra Linux – Vulnerability in Apache2

A out-of-bounds read vulnerability exists in the modmacro module of the Apache HTTP Server. This issue affects the Apache HTTP Server version up to 2.4.57...

Astra Linux – Vulnerability in Apache2

A potential vulnerability in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly set up URLs to be handled by modproxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue...

Astra Linux – Vulnerability in Apache2

A properly crafted method sent via HTTP/2 will bypass validation and be forwarded by modproxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server versions 2.4.17 to 2.4.48...

Astra Linux – Vulnerability in Apache2

In the Apache HTTP Server with modproxy loaded, SSRF allows an attacker to send outbound proxy requests to a URL controlled by the attacker. This requires a unusual configuration, where modheaders is used to modify the Content-Type header of the request or response, with a value provided in the...

Astra Linux – Vulnerability in Apache2

Apache HTTP Server versions 2.4.0 to 2.4.46: A specially crafted Digest nonce can cause a stack overflow in modauthdigest. There is no report of this overflow being exploitable, nor can the Apache HTTP Server team have created such a report. However, certain compilers and/or compilation options...

Fedora 45 : nginx / nginx-mod-brotli / nginx-mod-fancyindex / etc (2026-e212182e6e)

The remote Fedora 45 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2026-e212182e6e advisory. nginx-mod-brotli: - Rebuild for 1.30.3 nginx-mod-fancyindex: - Rebuild for 1.30.3 nginx-mod-modsecurity: - Rebuild for 1.30.3 nginx-mod-headers-more...

mod_http2 security update

An update is available for modhttp2. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top o...

CVE-2026-29170

A flaw was found in Apache HTTP Server, specifically within the modproxyftp module. This cross-site scripting XSS vulnerability occurs during the generation of HTML directory lists when the server is configured to list FTP directory contents via either a forward or reverse proxy. An attacker coul...

RockyLinux 10 : mod_http2 (RLSA-2026:25225)

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:25225 advisory. httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack CVE-2026-49975 Tenable has extracted the preceding description block...

USN-8425-1 libnginx-mod-js vulnerability

It was discovered that njs did not properly handle certain client- controlled variables when processing ngx.fetch requests. An attacker could possibly use this issue to trigger a heap buffer overflow, resulting in arbitrary code execution or a denial of service...

CVE-2026-47189

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim...

CVE-2026-47181 PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a...