Lucene search
+L

45836 matches found

CVE
CVE
added yesterday10 views

CVE-2026-50274

Datadog dd-trace-go (Go client library for Datadog APM/ profiling/ security monitoring) is affected prior to version 2.8.1 due to improper enforcement of DD_TRACE_BAGGAGE_MAX_ITEMS/MAX_BYTES on the baggage header extract path. A remote, unauthenticated attacker can send HTTP requests with an exce...

7.5CVSS5.4AI score0.00106EPSS
Exploits0References4
Cvelist
Cvelist
added yesterday17 views

CVE-2026-50272 dd-trace: Improper parsing of W3C baggage headers may lead to DoS

dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/textmap.js parsed incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on...

7.5CVSS0.00106EPSS
Exploits0References4
CVE
CVE
added yesterday39 views

CVE-2026-44974

CVE-2026-44974 affects the @hapi/content header parser. Before v6.0.2, Content.disposition() kept the last value for duplicate parameters while Content.type() kept the first for duplicate charset/boundary parameters, creating a parameter-smuggling primitive when duplicates are resolved inconsiste...

7.7CVSS5.2AI score0.00052EPSS
Exploits0References2
EUVD
EUVD
added yesterday5 views

EUVD-2026-45243

Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DDTRACEBAGGAGEMAXITEMS or DDTRACEBAGGAGEMAXBYTES on extraction, allowing a remote...

7.5CVSS5.5AI score0.00106EPSS
Exploits0References4
CVE
CVE
added yesterday11 views

CVE-2026-50273

Datadog .NET Tracer (dd-trace-dotnet) is affected prior to version 3.43.0 by CVE-2026-50273 due to improper parsing of W3C baggage headers. The extraction path does not enforce DD_TRACE_BAGGAGE_MAX_ITEMS or DD_TRACE_BAGGAGE_MAX_BYTES, allowing a remote unauthenticated attacker to send a header wi...

7.5CVSS5.4AI score0.00106EPSS
Exploits0References4
AlpineLinux
AlpineLinux
added yesterday5 views

CVE-2026-14741

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parsedate. parsedate matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...

5.3AI score
Exploits0
CVE
CVE
added yesterday10 views

CVE-2026-14741

CVE-2026-14741 affects the Perl module HTTP::Date (versions before 6.08). The vulnerability arises in parse_date() where a chain of alternative regexes with unbounded quantifiers, combined with a trailing \s*$, can trigger polynomial (≈quadratic) backtracking in the date parser invoked by str2tim...

5.3AI score
Exploits0References4
EUVD
EUVD
added yesterday6 views

EUVD-2026-45190

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parsedate. parsedate matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...

5.3AI score
Exploits0References3
RedhatCVE
RedhatCVE
added yesterday5 views

CVE-2026-41854

A flaw was found in Spring Framework. Due to incorrect host parsing in the UriComponentsBuilder component, applications that process externally provided URL strings may be vulnerable to a Server-Side Request Forgery SSRF attack. An SSRF attack allows an attacker to trick the server into making...

6.5CVSS4.9AI score0.00123EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday52 views

Apache Tomcat - HTTP Request Smuggling

Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicio...

5.3CVSS6.6AI score0.05848EPSS
Exploits2References3
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60780

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parse date. parse date matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...

5.4AI score
Exploits0References4
CVE
CVE
added 2 days ago32 views

CVE-2026-44982

CVE-2026-44982 affects CrowdSec AppSec. The bug in pkg/appsec/request.go NewParsedRequestFromRequest reads the body using max(r.ContentLength, 0), causing HTTP/1.1 chunked and HTTP/2 without Content-Length to appear with an empty body, bypassing body-inspection rules (REQUEST_BODY, BODY_ARGS, ARG...

7.2CVSS6.1AI score0.00217EPSS
Exploits0References5
CVE
CVE
added 2 days ago7 views

CVE-2026-13401

CVE-2026-13401 affects Perl’s XML::Bare up to version 0.53. The vulnerability is a hang/infinite loop in the attribute parser: the parserc_parse state cursor does not advance for certain malformed attribute forms (e.g., nameless attributes like ), causing looping. Impact is a potential denial-of-...

7.5CVSS6.1AI score0.00186EPSS
Exploits0References3
CVE
CVE
added 2 days ago7 views

CVE-2026-13397

CVE-2026-13397 affects HTML::Bare up to version 0.04 for Perl. The vulnerability is an infinite loop in the parser when encountering certain malformed attributes, because parserc_parse does not advance the attribute-parse state cursor for those forms (e.g., nameless attributes like and unbalance...

7.5CVSS6.1AI score0.00186EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2 days ago5 views

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

7.5CVSS7.1AI score0.00728EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2 days ago5 views

CVE-2026-59249 Sign-tolerant HTTP/1 chunk-size parser in Mint enables response smuggling against strict intermediaries on pooled connections

Inconsistent interpretation of HTTP requests HTTP response smuggling vulnerability in elixir-mint mint allows a malicious HTTP/1 server to desynchronize a strict intermediary and the Mint client on the same pooled connection, enabling response-queue poisoning against subsequent requests that shar...

6.3CVSS6.1AI score0.00301EPSS
Exploits0References4
Nuclei
Nuclei
added 2 days ago22 views

Kubernetes API Server - YAML Parsing DoS (Billion Laughs)

The Kubernetes API server is vulnerable to a denial of service attack via YAML/JSON parsing. An attacker can send a specially crafted YAML/JSON payload that causes exponential memory consumption Billion Laughs attack, leading to API server crash. id: CVE-2019-11253 info: name: Kubernetes API Serv...

7.5CVSS6.7AI score0.25939EPSS
Exploits2References3
OSV
OSV
added 2 days ago5 views

RLSA-2026:39868 Important: nodejs:24 security, bug fix, and enhancement update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input CVE-2026-42338 undici: undici: Denial of Service due to...

8.1CVSS6.5AI score0.02806EPSS
Exploits1References16
Tenable Nessus
Tenable Nessus
added 2 days ago3 views

openSUSE 16 Security Update : go1.25-openssl (openSUSE-SU-2026:21319-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21319-1 advisory. This update for go1.25-openssl fixes the following issues - Update to version go1.25.12 bsc1244485. - CVE-2025-61732: cmd/cgo: discrepancy betwe...

10CVSS6.9AI score0.00939EPSS
Exploits1References94
Positive Technologies
Positive Technologies
added 2 days ago10 views

PT-2026-60588

Name of the Vulnerable Software and Affected Versions YAML::Syck versions prior to 1.47 Description An issue exists where a use-after-free and double-free occur via an anchor node that is freed while remaining on the parser value stack. In the bundled libsyck, when an anchor name is redefined or...

6.2CVSS5.3AI score0.00186EPSS
Exploits0References7
Rows per page
Query Builder