45836 matches found
CVE-2026-50274
Datadog dd-trace-go (Go client library for Datadog APM/ profiling/ security monitoring) is affected prior to version 2.8.1 due to improper enforcement of DD_TRACE_BAGGAGE_MAX_ITEMS/MAX_BYTES on the baggage header extract path. A remote, unauthenticated attacker can send HTTP requests with an exce...
CVE-2026-50272 dd-trace: Improper parsing of W3C baggage headers may lead to DoS
dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/textmap.js parsed incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on...
CVE-2026-44974
CVE-2026-44974 affects the @hapi/content header parser. Before v6.0.2, Content.disposition() kept the last value for duplicate parameters while Content.type() kept the first for duplicate charset/boundary parameters, creating a parameter-smuggling primitive when duplicates are resolved inconsiste...
EUVD-2026-45243
Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on extraction, allowing a remote...
CVE-2026-50273
Datadog .NET Tracer (dd-trace-dotnet) is affected prior to version 3.43.0 by CVE-2026-50273 due to improper parsing of W3C baggage headers. The extraction path does not enforce DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES, allowing a remote unauthenticated attacker to send a header wi...
CVE-2026-14741
HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parsedate. parsedate matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...
CVE-2026-14741
CVE-2026-14741 affects the Perl module HTTP::Date (versions before 6.08). The vulnerability arises in parse_date() where a chain of alternative regexes with unbounded quantifiers, combined with a trailing \s*$, can trigger polynomial (≈quadratic) backtracking in the date parser invoked by str2tim...
EUVD-2026-45190
HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parsedate. parsedate matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...
CVE-2026-41854
A flaw was found in Spring Framework. Due to incorrect host parsing in the UriComponentsBuilder component, applications that process externally provided URL strings may be vulnerable to a Server-Side Request Forgery SSRF attack. An SSRF attack allows an attacker to trick the server into making...
Apache Tomcat - HTTP Request Smuggling
Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicio...
PT-2026-60780
HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parse date. parse date matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...
CVE-2026-44982
CVE-2026-44982 affects CrowdSec AppSec. The bug in pkg/appsec/request.go NewParsedRequestFromRequest reads the body using max(r.ContentLength, 0), causing HTTP/1.1 chunked and HTTP/2 without Content-Length to appear with an empty body, bypassing body-inspection rules (REQUEST_BODY, BODY_ARGS, ARG...
CVE-2026-13401
CVE-2026-13401 affects Perl’s XML::Bare up to version 0.53. The vulnerability is a hang/infinite loop in the attribute parser: the parserc_parse state cursor does not advance for certain malformed attribute forms (e.g., nameless attributes like ), causing looping. Impact is a potential denial-of-...
CVE-2026-13397
CVE-2026-13397 affects HTML::Bare up to version 0.04 for Perl. The vulnerability is an infinite loop in the parser when encountering certain malformed attributes, because parserc_parse does not advance the attribute-parse state cursor for those forms (e.g., nameless attributes like and unbalance...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
CVE-2026-59249 Sign-tolerant HTTP/1 chunk-size parser in Mint enables response smuggling against strict intermediaries on pooled connections
Inconsistent interpretation of HTTP requests HTTP response smuggling vulnerability in elixir-mint mint allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that shar...
Kubernetes API Server - YAML Parsing DoS (Billion Laughs)
The Kubernetes API server is vulnerable to a denial of service attack via YAML/JSON parsing. An attacker can send a specially crafted YAML/JSON payload that causes exponential memory consumption Billion Laughs attack, leading to API server crash. id: CVE-2019-11253 info: name: Kubernetes API Serv...
RLSA-2026:39868 Important: nodejs:24 security, bug fix, and enhancement update
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input CVE-2026-42338 undici: undici: Denial of Service due to...
openSUSE 16 Security Update : go1.25-openssl (openSUSE-SU-2026:21319-1)
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21319-1 advisory. This update for go1.25-openssl fixes the following issues - Update to version go1.25.12 bsc1244485. - CVE-2025-61732: cmd/cgo: discrepancy betwe...
PT-2026-60588
Name of the Vulnerable Software and Affected Versions YAML::Syck versions prior to 1.47 Description An issue exists where a use-after-free and double-free occur via an anchor node that is freed while remaining on the parser value stack. In the bundled libsyck, when an anchor name is redefined or...