Lucene search
K

370 matches found

NVD
NVD
added 5 days ago7 views

CVE-2026-50188

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request, Remote::get, and Remote::post, to send outgoing HTTP requests with untrusted data in the headers option could allow newline characters...

6.9CVSS0.0029EPSS
Exploits0References5
CVE
CVE
added last week15 views

CVE-2026-55427

Coder exposes SSH config injection risk via the config-ssh command: before 2.34.2, 2.33.8, 2.32.7, and 2.29.17, server-supplied values for HostnameSuffix and SSHConfigOptions could be written into ~/.ssh/config without rejecting newlines or restricting directives. This could enable a malicious or...

8.3CVSS6.1AI score0.00466EPSS
Exploits0References6Affected Software1
OSV
OSV
added last week4 views

DEBIAN-CVE-2026-14740

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byt...

9.1CVSS6AI score0.00407EPSS
Exploits0References1
NVD
NVD
added 2026/07/07 3:16 p.m.8 views

CVE-2026-53878

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. DomainNameValidator does not prohibit newlines in domain names unless used via a form field, since CharField strips newlines. If an application uses values with newlines in an HTTP response, header injection can occur. Djan...

6.1CVSS0.00217EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 2026/07/07 2:10 p.m.4 views

CVE-2026-53878

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. DomainNameValidator does not prohibit newlines in domain names unless used via a form field, since CharField strips newlines. If an application uses values with newlines in an HTTP response, header injection can occur. Djan...

6.1CVSS5.8AI score0.00217EPSS
Exploits0
Cvelist
Cvelist
added 2026/07/07 2:10 p.m.35 views

CVE-2026-53878 Header injection possibility since DomainNameValidator accepted newlines in input

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. DomainNameValidator does not prohibit newlines in domain names unless used via a form field, since CharField strips newlines. If an application uses values with newlines in an HTTP response, header injection can occur. Djan...

6.1CVSS0.00217EPSS
Exploits0References3
CVE
CVE
added 2026/07/07 2:10 p.m.14 views

CVE-2026-53878

CVE-2026-53878 affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The issue lies in DomainNameValidator not prohibiting newlines in domain names, which can enable header injection if an application places such values in an HTTP response. Django itself remains unaffected because HttpResponse b...

6.1CVSS5.8AI score0.00217EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.11 views

PT-2026-56274

Name of the Vulnerable Software and Affected Versions DBI versions prior to 1.650 Description An out-of-bounds read of one byte occurs in the preparse function when deleting an initial SQL comment. This happens during the normalization of SQL and the removal of comments. On memory-hardened builds...

9.1CVSS6AI score0.00407EPSS
Exploits0References16
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.11 views

PT-2026-56197

Name of the Vulnerable Software and Affected Versions Django versions prior to 6.0.7 Django versions prior to 5.2.16 Description An issue exists where DomainNameValidator fails to prohibit newlines in domain names. While CharField strips newlines when used via a form field, other implementations...

6.1CVSS6.1AI score0.00217EPSS
Exploits0References64
NVD
NVD
added 2026/06/22 12:16 p.m.17 views

CVE-2026-11373

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol...

9.1CVSS0.00352EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/06/22 11:28 a.m.3 views

CVE-2026-11373

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol...

8.2CVSS5.8AI score0.00352EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/22 11:28 a.m.10 views

EUVD-2026-38224

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol...

9.1CVSS5.8AI score0.00352EPSS
Exploits0References6
CVE
CVE
added 2026/06/22 11:28 a.m.20 views

CVE-2026-11373

Summary of CVE-2026-11373 (Net::Statsite::Client) : The Perl client (versions through 1.1.0) is vulnerable to metric injections because metric names are not sanitized for newlines or other protocol control characters (e.g., colons, pipes), and newlines are not removed from metrics. This can allow...

9.1CVSS5.8AI score0.00352EPSS
Exploits0References6
NVD
NVD
added 2026/06/10 7:16 p.m.16 views

CVE-2026-50639

Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections. The statsd protocol and extensions such as dogstatsd allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::SignalFx which extends...

6.5CVSS0.00264EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/10 6:32 p.m.13 views

EUVD-2026-36105

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol and extensions such as dogstatsd allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends...

9.1CVSS5.4AI score0.00343EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/10 6:32 p.m.7 views

CVE-2026-50637 Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections

Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol and extensions allow mutiple metrics, separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the name...

5.8AI score0.00323EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/10 1:5 p.m.11 views

EUVD-2026-36021

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between //, allowing attackers to perform phishing attacks...

4.3CVSS5.5AI score0.00364EPSS
Exploits0References1
OSV
OSV
added 2026/06/09 2:27 p.m.64 views

GHSA-W7JW-789Q-3M8P shell-quote quote() does not escape newlines in object .op values

Summary shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore...

9.2CVSS5.6AI score0.00848EPSS
Exploits1References6
Tenable Nessus
Tenable Nessus
added 2026/06/08 12:0 a.m.11 views

SUSE SLED15 / SLES15 Security Update : perl-Net-CIDR-Lite (SUSE-SU-2026:2113-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2113-1 advisory. This update for perl-Net-CIDR-Lite fixes the following issues - CVE-2026-45190: improper validation of trailin...

7.5CVSS5.7AI score0.00311EPSS
Exploits0References12
RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.16 views

CVE-2026-39414

MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit function...

7.1CVSS5.4AI score0.00485EPSS
Exploits0References1
Rows per page
Query Builder