PT-2026-41939

Name of the Vulnerable Software and Affected Versions NGINX JavaScript affected versions not specified Description An issue exists when the 'js fetch proxy' directive is configured with at least one client-controlled NGINX variable, such as $http , $arg , or $cookie , and a location invokes the...

SUSE SLES15 Security Update : curl (SUSE-SU-2026:1940-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1940-1 advisory. Security issues fixed: - CVE-2026-4873: connection reuse ignores TLS requirement bsc1262631. - CVE-2026-5545: wrong reuse of HTTP...

RHEL 10 : python3.12 (RHSA-2026:19064)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:19064 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

Allocation of Resources Without Limits or Throttling

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the FileResponse method. An unauthenticated attacker can exhaust disk space, saturate log pipelines, or...

CLSA-2026-1779129626 httpd: Fix of CVE-2026-28780

CVE-2026-28780: modproxyajp: heap-based buffer overflow in ajpmsgcheckheader — message size check did not subtract AJPHEADERLEN, letting a crafted AJP reply write 4 bytes past the end of the heap buffer...

CLSA-2026-1779119053 Fix of 8 CVEs

SECURITY UPDATE: modproxyajp heap buffer over-read in ajpmsggetstring - debian/patches/CVE-2026-34032.patch: add buffer checks in modules/proxy/ajpmsg.c. - CVE-2026-34032 SECURITY UPDATE: AJP getter functions off-by-one out-of-bounds reads - debian/patches/CVE-2026-33857.patch: fix length checks ...

CLSA-2026-1779118679 Fix of 8 CVEs

SECURITY UPDATE: modproxyajp heap buffer over-read in ajpmsggetstring - debian/patches/CVE-2026-34032.patch: add buffer checks in modules/proxy/ajpmsg.c. - CVE-2026-34032 SECURITY UPDATE: AJP getter functions off-by-one out-of-bounds reads - debian/patches/CVE-2026-33857.patch: fix length checks ...

Statamic CMS: Server-Side Request Forgery via Glide

Impact The Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata...

Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the...

GHSA-5CVP-P7P4-MCX9 Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the...

NPM: Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

NPM: Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass vulnerability discovered by ? in WordPress Npm neotoma versions = 0.6.0, 0.11.1...

[SECURITY] [DLA 4589-1] nginx security update

Debian LTS Advisory DLA-4589-1 [email protected] https://www.debian.org/lts/security/ Carlos Henrique Lima Melara May 18, 2026 https://wiki.debian.org/LTS Package : nginx Version : 1.18.0-6.1+deb11u6 CVE ID : CVE-2025-53859 CVE-2026-1642 CVE-2026-27651 CVE-2026-27654 CVE-2026-27784...

CLEANSTART-2026-OZ77074 Security fixes for ghsa-r4q5-vmmm-2653 applied in versions: 5.1.0-r1

Security vulnerability affects the configurable-http-proxy package. This issue is resolved in later releases. See references for vulnerability details...

CLEANSTART-2026-WG59699 Security fixes for CVE-2024-47535, CVE-2024-47561, CVE-2024-7254, CVE-2025-24970, CVE-2025-25193, CVE-2025-33042, CVE-2025-48924, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-67735, CVE-2025-68161, CVE-2026-33870, CVE-2026-33871, CVE-2026-41417, CVE-2026-42577, ghsa-72hv-8253-57qq applied in versions: 13.9-r0, 13.9-r1, 13.9-r2

Multiple security vulnerabilities affect the wavefront-proxy package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-MM00120 Security fixes for CVE-2024-47535, CVE-2024-47561, CVE-2024-7254, CVE-2025-24970, CVE-2025-25193, CVE-2025-33042, CVE-2025-48924, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-67735, CVE-2025-68161, CVE-2026-41417, ghsa-3pxv-7cmr-fjr4, ghsa-445c-vh5m-36rj, ghsa-6hg6-v5c8-fphq, ghsa-72hv-8253-57qq, ghsa-pwqr-wmgm-9rr8, ghsa-w9fj-cfpg-grvv applied in versions: 13.8-r0, 13.9-r0

Multiple security vulnerabilities affect the wavefront-proxy package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-JW30455 Security fixes for CVE-2024-47535, CVE-2024-47561, CVE-2024-7254, CVE-2025-24970, CVE-2025-25193, CVE-2025-33042, CVE-2025-48924, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-67735, CVE-2025-68161, CVE-2026-41417, CVE-2026-42577, ghsa-3pxv-7cmr-fjr4, ghsa-445c-vh5m-36rj, ghsa-6hg6-v5c8-fphq, ghsa-72hv-8253-57qq, ghsa-pwqr-wmgm-9rr8, ghsa-w9fj-cfpg-grvv applied in versions: 13.7-r0, 13.7-r1, 13.7-r2, 13.9-r0

Multiple security vulnerabilities affect the wavefront-proxy package. These issues are resolved in later releases. See references for individual vulnerability details...

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of netty-handler-proxy

Summary Due to use of netty-handler-proxy, DevOps Test Performance and Rational Performance Tester contain a potential header injection vulnerability. Vulnerability Details CVEID:CVE-2026-42578 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Fina...

BIT-TOMCAT-2020-1935

In Apache Tomcat 9.0.0 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy...

Security update for python310

This update for python310 fixes the following issues Security issues: CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF bsc1261969. CVE-2026-3446: base64 decoding stops at first padded quad by default bsc1261970. CVE-2026-4786: incomplete mitigation of , %action expansion fo...

SUSE-SU-2026:1947-1 Security update for python310

This update for python310 fixes the following issues Security issues: - CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF bsc1261969. - CVE-2026-3446: base64 decoding stops at first padded quad by default bsc1261970. - CVE-2026-4786: incomplete mitigation of , %action...