CVE-2026-49017

In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently...

[SECURITY] Fedora 42 Update: haproxy-3.0.23-2.fc42

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

[SECURITY] Fedora 44 Update: haproxy-3.0.23-2.fc44

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the POST /api/notifications/test-webhook endpoint, which is accessible without authentication in the default deployment. An attacker can cause the application to send HTTP POST requests to arbitrary...

HTTP Request Smuggling

Overview starlette is a The little ASGI library that shines. Affected versions of this package are vulnerable to HTTP Request Smuggling via the request.url reconstruction process. An attacker can bypass path-based security checks by supplying a malformed Host header that causes request.url.path t...

CVE-2026-9312 Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint

A server-side request forgery SSRF vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request...

CVE-2026-9312

A server-side request forgery SSRF vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request...

CVE-2026-9312 Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint

A server-side request forgery SSRF vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request...

CVE-2026-9312

CVE-2026-9312 – GitHub Enterprise Server SSRF : An unauthenticated attacker could exploit insufficient input validation in an upload endpoint to inject path traversal and redirect internal API calls, potentially accessing internal services and sensitive credentials. Affected: all GitHub Enterpris...

PT-2026-44056

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.0 Description The executeQuery automation step accepts a queryId from automation step inputs and passes it to the query execution controller without additional validation. When a REST datasource is configured to...

PT-2026-43752

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A use-after-free issue exists in the cpcap-battery component. The problem occurs because the devm variant for requesting an IRQ is used before the devm variant for allocating or...

PT-2026-43575

Name of the Vulnerable Software and Affected Versions MetaMagic SEO Plugin versions prior to 1.7 Description The MetaMagic SEO Plugin for WordPress is subject to Cross-Site Request Forgery, a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs due to...

PT-2026-44018

Name of the Vulnerable Software and Affected Versions Jenkins GitHub Integration Plugin versions prior to 0.7.4 Description A cross-site request forgery CSRF flaw allows attackers to trigger a build for a pull request. CSRF is a type of attack that tricks a victim into submitting a malicious...

PT-2026-43535

The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search simple fields options function in functions admin.php. This makes it possible for unauthenticated...

PT-2026-43497

Name of the Vulnerable Software and Affected Versions Old Posts Highlighter versions prior to 1.0.4 Description The Old Posts Highlighter plugin for WordPress is susceptible to Cross-Site Request Forgery, a type of attack where an unauthorized user tricks a victim into performing actions they did...

CVE-2026-30498

A Cross-Site Request Forgery CSRF vulnerability was discovered in the delete.php endpoint of Jason2605 AdminPanel 4.0...

PT-2026-43955

Name of the Vulnerable Software and Affected Versions IBM WebSphere Application Server - Liberty versions 19.0.0.7 through 26.0.0.5 IBM WebSphere Application Server version 9.0 IBM WebSphere Application Server version 8.5 WebSphere Application Server Liberty affected versions not specified...

PT-2026-43769

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A use-after-free issue exists in the bq256xx power supply driver. The problem occurs because the devm variant for requesting an IRQ is used before the devm variant for allocating or...

PT-2026-44131

Summary The CrowdSec AppSec component fails to read the HTTP request body for any request whose Content-Length is not positive — most notably HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests sent without a content-length header. Coraza is then evaluated against an empty body...

PT-2026-44083

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validate modified targets.yml is vulnerable to command injection via the pull request target trigger. Any GitHub user can execute arbitrary commands on the CI runner and...