CVE-2026-42551

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod unconditionally honors the X-HTTP-Method-Override header and the $REQUEST'method' parameter on any HTTP verb including safe verbs such as GET, with no opt-in and no whitelist of permitted target methods. A GET...

Flight 安全漏洞

Flight is a PHP microframework developed by Mike Cao. Versions of Flight prior to 3.18.1 contained security vulnerabilities. These vulnerabilities stemmed from the unconditional acceptance of the X-HTTP-Method-Override header and the$REQUESTmethod parameter by the Request::getMethod method. This...

Unity Linux 20.1060e / 20.1070e Security Update: haproxy (UTSA-2026-017423)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017423 advisory. An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by...

GHSA-VXRR-W42W-W76G Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass

Summary Request::getMethod unconditionally honors the X-HTTP-Method-Override header and the $REQUEST'method' parameter on any HTTP verb including safe verbs such as GET, with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF...

Astra Linux – Vulnerability in Python 2.7, Pypy

In Python 3.x versions prior to 3.5.10, 3.6.x versions prior to 3.6.12, 3.7.x versions prior to 3.7.9, and 3.8.x versions prior to 3.8.5, CRLF injection is allowed if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of...

EUVD-2025-209575

A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST...

Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Summary The @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirel...

Use of GET Request Method With Sensitive Query Strings

Overview Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings in the token URL query parameter, which is accepted by the authentication process. An attacker can obtain sensitive API credentials by accessing logs, browser history, clipboard...

CVE-2021-22166

An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method...

CVE-2025-13435

Dreampie Resty has a path traversal vulnerability (CVE-2025-13435) affecting HttpClient.java in Resty versions up to 1.3.1.SNAPSHOT. The issue arises from improper handling of the filename argument in Request, enabling potential remote exploitation. The vulnerability is described as highly comple...

PT-2025-41410

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos Space versions prior to 24.1R3 Description A flaw exists in the web interface of Junos Space that could allow a network-based attacker with valid credentials to download arbitrary files from the file system. An attacker...

EUVD-2018-0561

Malware in sbrugna...

EUVD-2020-18746

Malware in sbrugna...

RLSA-2025:7419 Important: mod_auth_openidc security update

The modauthopenidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. Security Fixes: modauthopenidc: modauthopenidc allows OIDCProviderAuthRequestMethod POSTs to leak...

EUVD-2025-16142

Malicious code in bioql PyPI...

EUVD-2025-12783

Malicious code in bioql PyPI...

EUVD-2023-41788

Malicious code in bioql PyPI...

Authentication Bypass

Liferay Portal is vulnerable to Authentication Bypass. The vulnerability is due to improper request method validation due to MFA-enabled login requests allowing attackers to bypass authentication by changing the POST method to GET...

Linux Distros Unpatched Vulnerability : CVE-2018-11039

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Framework versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions allow web applications to change the HTTP request...

CVE-2025-8678

The WP Crontrol plugin for WordPress is vulnerable to blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the 'wpremoterequest' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations...