CVE-2026-43974 gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM

Unexpected Status Code or Return Value vulnerability in ninenines gun gunhttp module allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response. In gunhttp:handleinform/8, when a 101 Switching Protocols response is received over...

Resource Injection

Overview Affected versions of this package are vulnerable to Resource Injection in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can bypass intended validation by supplying specially crafted package metadata IDs or versions. Remediation Upgrade...

CVE-2026-40394

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service daemon panic for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is...

CVE-2026-40394

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 are affected by a workspace overflow during HTTP/2 session upgrade. The vulnerability arises when the HTTP/2 upgrade path repurposes an HTTP/1 request as stream zero and allocates a buffer to reserve space for frames, which can ...

SUSE CVE-2026-32136

AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext h2c. Once the upgrade is accepted, the resulting...

EUVD-2026-11416

AdGuard Home: HTTP/2 Cleartext h2c Upgrade Authentication Bypass...

CVE-2026-32136

AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext h2c. Once the upgrade is accepted, the resulting...

CVE-2024-34343

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API's provided by unjs/ufo. This library also contains parsing discrepancies. The function first...

EUVD-2022-30014

Malicious code in bioql PyPI...

EUVD-2022-28538

Malicious code in bioql PyPI...

EUVD-2024-36338

Malicious code in bioql PyPI...

EUVD-2022-6743

Malicious code in bioql PyPI...

CVE-2025-31698

ACL configured in ipallow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting proxy.config.acl.subjects to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects...

CVE-2022-25335

RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement date, the vulnerability will not be remediated until a major...

CLSA-2024-1724260328 Fix CVE(s): CVE-2024-0450

SECURITY UPDATE: exploit “quoted-overlap” zip-bombs with a high compression ratio - debian/patches/CVE-2024-0450.patch: Protect zipfile from "quoted-overlap" zipbomb - CVE-2024-0450 replace TLSv1 by TLSv1.2 since TLSv1 is not supported in the following tests: - Lib/test/testftplib.py -...

Request Smuggling

github.com/envoyproxy/envoy is vulnerable to Request Smuggling. The vulnerability is due to Envoy incorrectly accepting a 200 response code from a server when a protocol upgrade is requested, even though a 200 response does not indicate a protocol switch. Attackers could exploit this by tricking ...

CVE-2022-23483

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol RDP. xrdp v0.9.21 contain a Out of Bound Read in libxrdpsendtochannel function. There are no known workarounds for this issue. Users are advised to upgrade...

CVE-2022-25335

RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement date, the vulnerability will not be remediated until a major...

CVE-2022-25335

RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement date, the vulnerability will not be remediated until a major...

Spoofing

RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for setMultipleAllowances. This enables token manipulation, as exploited in the wild in February 2022. NOTE: although 2022-02-17 is the vendor's vulnerability announcement date, the vulnerability will not be remediated until a major...