CVE-2026-54273

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This...

CVE-2026-54273

CVE-2026-54273 (AIOHTTP) affects the AIOHTTP project (async HTTP client/server for asyncio and Python). Prior to version 3.14.1, there was no limit on the number of pipelined HTTP/1 requests that could be queued, enabling potential memory exhaustion and DoS. The issue is fixed in 3.14.1. The prov...

CVE-2026-54273

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This...

netty-codec-http: Netty: Data manipulation via request-boundary confusion in HttpObjectDecoder

A flaw was found in Netty. The HttpObjectDecoder component, which processes incoming HTTP requests, incorrectly skips certain control characters and whitespace before reading the first request line. This behavior, which goes beyond standard HTTP protocol requirements, can lead to request-boundary...

netty-codec-http: Netty: Data manipulation via request-boundary confusion in HttpObjectDecoder

A flaw was found in Netty. The HttpObjectDecoder component, which processes incoming HTTP requests, incorrectly skips certain control characters and whitespace before reading the first request line. This behavior, which goes beyond standard HTTP protocol requirements, can lead to request-boundary...

GHSA-HVCG-QMG6-JM4C Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted

Summary Before reading the first request-line, HttpObjectDecoder skips every byte for which Character.isISOControlb is true 0x00–0x1F and 0x7F as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the handling of HTTP/1 pipelined requests queue without a limit. An attacker can exhaust system memory by sending a large number of pipelined requests, potentially causing...

aiohttp: HTTP/1 Pipelined Requests Queue Without Limit

Summary No limit was present on the number of pipelined requests that could be queued. Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch:...

GHSA-4FVR-RGM6-GQMC aiohttp: HTTP/1 Pipelined Requests Queue Without Limit

Summary No limit was present on the number of pipelined requests that could be queued. Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch:...

CVE-2026-50020

A flaw was found in Netty. The HttpObjectDecoder component, which processes incoming HTTP requests, incorrectly skips certain control characters and whitespace before reading the first request line. This behavior, which goes beyond standard HTTP protocol requirements, can lead to request-boundary...

PT-2026-49587

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.14.1 Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. The software lacked a limit on the number of pipelined requests that could be queued. An attacker could exploit this b...

CVE-2026-50020

Netty (network framework) contains a flaw in HttpObjectDecoder: prior to reading the first request-line, it ignores all ISO control bytes (0x00–0x1F, 0x7F) plus whitespace, beyond what RFC 9112 allows. This can cause request-boundary confusion in pipelined or multiplexed transports. Affects Netty...

Astra Linux – Vulnerability in Twisted

Twisted is an event-based framework for internet applications, compatible with Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, potentially leading to information disclosure. This vulnerability has been fixed in 24.7.0rc1...

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling in the HttpClientCodec component. An attacker can cause response...

Astra Linux – Vulnerability in Twisted

In Twisted Web version 19.10.0, there was an HTTP request splitting vulnerability. When two content-length headers were provided, the system ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request...

Astra Linux – Vulnerability in Waitress

Waitress version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value. If that value was not in the “chunked” format, it would proceed using the Content-Length header instead. According to the HTTP standard, Transfer-Encoding should be a comma-separated list, wit...

MiracleLinux 7 : tomcat-7.0.76-3.el7 (AXSA:2017-2389:05)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2017-2389:05 advisory. A vulnerability was discovered in Tomcat's handling of pipelined requests when Sendfile was used. If sendfile processing completed quickly, it was...

EUVD-2020-29509

Malware in sbrugna...

EUVD-2018-15693

Malware in sbrugna...

EUVD-2022-2183

Malicious code in bioql PyPI...