CVE-2026-41853

Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48...

CVE-2026-41853 Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux

Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48...

CVE-2026-41853

CVE-2026-41853 concerns Multipart request smuggling in Spring Framework’s Spring MVC and WebFlux components. Affected are Spring Framework versions: 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. The CVE entry identifies the issue as a vulnerability in multipart handling, with an accompan...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by multiple vulnerabilities when using Web Server Plug-ins (CVE-2026-8633, CVE-2026-8620)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by remote code execution and HTTP request smuggling when using the optional and separately installable Web Server Plug-ins for IBM WebSphere Application Server component...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by multiple vulnerabilities when using Web Server Plug-ins (CVE-2026-8633, CVE-2026-8620)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by remote code execution and HTTP request smuggling when using the optional and separately installable Web Server Plug-ins for IBM WebSphere Application Server component...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by multiple vulnerabilities when using Web Server Plug-ins (CVE-2026-8633, CVE-2026-8620)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by remote code execution and HTTP request smuggling when using the optional and separately installable Web Server Plug-ins for IBM WebSphere Application Server component. Vulnerabilit...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by multiple vulnerabilities when using Web Server Plug-ins (CVE-2026-8633, CVE-2026-8620)

Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by remote code execution and HTTP request smuggling when using the optional and separately installable Web Server Plug-ins for IBM WebSphere Application Server component. Vulnerability...

Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to HTTP Request Smuggling CVE-2026-1002

Summary Vert.x is used by the IBM Datapower Operations Dashboard as part of their network implementation Vulnerability Details CVEID:CVE-2026-1002 DESCRIPTION: The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using...

Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to HTTP Request Smuggling CVE-2025-58056

Summary Netty is used by the IBM Datapower Operations Dashboard as part of their server implementation Vulnerability Details CVEID:CVE-2025-58056 DESCRIPTION: Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and...

USN-8401-1 netty vulnerabilities

It was discovered that Netty's HTTP proxy handler did not properly validate headers when constructing CONNECT requests. An attacker could possibly use this issue to inject arbitrary HTTP headers into CONNECT requests. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,...

USN-8401-1: Netty vulnerabilities

It was discovered that Netty's HTTP proxy handler did not properly validate headers when constructing CONNECT requests. An attacker could possibly use this issue to inject arbitrary HTTP headers into CONNECT requests. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,...

Qlik Sense Enterprise - HTTP Request Smuggling

An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunnelin...

Medium: perl-HTTP-Tiny

Issue Overview: HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the Host: header, and HTTP/1.1 control data field values. An attacker w...

Medium: libsoup3

Issue Overview: OOB Read via Integer Overflow on libsoup through libsoup/websocket/soup-websocket-connection.c via processframe leads to Undefined Behavior CVE-2026-0716 A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF Carriage Return Line Feed Injection,...

Medium: perl-HTTP-Tiny

Issue Overview: HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the Host: header, and HTTP/1.1 control data field values. An attacker w...

CVE-2026-7010

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the Host: header, and HTTP/1.1 control data field values. An attacker who controls one ...

CVE-2026-41873

UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under t...

CVE-2026-48861

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling. In lib/mint/http1/request.ex, the encoderequestline/2 function splices the caller-supplied method and target arguments directly into the HTTP/1...

CVE-2026-49753

Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.contentlengthheader/1 in...

CVE-2026-8620

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request...