CVE-2026-2833

An HTTP request smuggling vulnerability CWE-444 was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the...

Timing Attack

Dragonfly is vulnerable to Timing Attack. The vulnerability is due to the use of simple string comparisons in the Proxy feature’s access control mechanism, which allows an attacker to guess the password one character at a time by analyzing response time variations...

EUVD-2025-26876

Malicious code in bioql PyPI...

CVE-2025-59350

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time...

CVE-2025-59350

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time...

Dragonfly 安全漏洞

Dragonfly is an open source framework from DragonflyDB that allows dynamic processing of any content type. A security vulnerability exists in Dragonfly versions prior to 2.1.0, which stems from the proxy function access control mechanism using simple string comparisons, which is vulnerable to...

CVE-2025-58362 Hono contains a flaw in URL path parsing, potentially leading to path confusion

Hono is a Web application framework that provides support for any JavaScript runtime. Versions 4.8.0 through 4.9.5 contain a flaw in the getPath utility function which could allow path confusion and potential bypass of proxy-level ACLs e.g. Nginx location blocks. The original implementation relie...

GHSA-9HP6-4448-45G2 Hono's flaw in URL path parsing could cause path confusion

Summary A flaw in the getPath utility function could allow path confusion and potential bypass of proxy-level ACLs e.g. Nginx location blocks. Details The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this...

Hono's flaw in URL path parsing could cause path confusion

Summary A flaw in the getPath utility function could allow path confusion and potential bypass of proxy-level ACLs e.g. Nginx location blocks. Details The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this...

BIT-NODE-2025-23167

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...

CVE-2025-23167

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...

PT-2022-23368 · Osu Open Source · Vncauthproxy

Name of the Vulnerable Software and Affected Versions: OSU Open Source Lab VNCAuthProxy versions 1.1.1 and earlier Description: The issue is an authentication-bypass vulnerability in the VNCServerAuthenticator, located in vncap/vnc/protocol.py, which could allow a malicious actor to gain...