Lucene search
K

3237 matches found

CVE
CVE
added 2026/05/25 2:0 p.m.24 views

CVE-2026-47069

CVE-2026-47069 describes a CRLF Injection in the Hackney library. The vulnerability arises from hackney_cookie:setcookie/3: Name/Value are checked for CRLF, but the domain and path options are concatenated into the output iolist without validation. An attacker controlling either option (e.g., Hos...

5.3CVSS6AI score0.00374EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2026/05/25 12:0 a.m.11 views

Hackney 安全漏洞

Hackney is a program library from Hackney, Inc. A security vulnerability exists in hackney versions prior to 0.9.0 through 4.0.1, which stems from a lack of CRLF sequence checking of the domain and path options in the cookie setup function, which could lead to HTTP response splitting...

5.3CVSS5.8AI score0.00374EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/05/25 12:0 a.m.22 views

PT-2026-43066

Name of the Vulnerable Software and Affected Versions hackney versions 0.9.0 through 4.0.0 Description Improper Neutralization of CRLF Sequences, also known as CRLF Injection, allows HTTP Response Splitting. The setcookie/3 function in src/hackney cookie.erl validates Name and Value arguments...

5.3CVSS6AI score0.00374EPSS
Exploits1References9
OSV
OSV
added 2026/05/22 1:18 p.m.15 views

OESA-2026-2402 httpd security update

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fixes: A NULL pointer dereference in the modauthnsocache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users ar...

6.5CVSS5.8AI score0.00514EPSS
Exploits0References5
OSV
OSV
added 2026/05/22 1:18 p.m.9 views

OESA-2026-2401 httpd security update

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fixes: An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to...

8.8CVSS5.8AI score0.00654EPSS
Exploits2References10
OSV
OSV
added 2026/05/22 1:18 p.m.6 views

OESA-2026-2400 httpd security update

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fixes: A NULL pointer dereference in the modauthnsocache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users ar...

6.5CVSS5.8AI score0.00514EPSS
Exploits0References5
OSV
OSV
added 2026/05/22 1:18 p.m.12 views

OESA-2026-2398 httpd security update

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fixes: A NULL pointer dereference in the modauthnsocache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users ar...

6.5CVSS5.8AI score0.00514EPSS
Exploits0References5
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.3 views

Astra Linux – Vulnerability in Apache2

Splitting of HTTP responses across multiple modules in the Apache HTTP Server allows an attacker who can inject malicious response headers into backend applications to carry out an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue...

6.3CVSS6.5AI score0.02874EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in Apache2

HTTP response splitting in the core of the Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server to split the HTTP response. This vulnerability was identified as CVE-2023-38709, but the patch included in Apache...

7.5CVSS6.6AI score0.00679EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability in JRuby

Before Ruby 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an HTTP Response Splitting attack was possible. An attacker could inject a crafted key and value into an HTTP response for the WEBrick HTTP server...

5.3CVSS6.8AI score0.0576EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.3 views

Astra Linux – Vulnerability in Netty

The Netty project is an event-driven, asynchronous network application framework. Starting from version 4.1.83.Final and before 4.1.86.Final, when calling DefaultHttpHeaders.set with an iterator of values, header value validation was not performed. This allowed malicious header values in the...

6.5CVSS7AI score0.00885EPSS
Exploits1References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.2 views

Astra Linux – Vulnerability in JRuby

Versions of Ruby from 2.4.7, 2.5.x up to 2.5.6, and 2.6.x up to 2.6.4 allow HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit this to insert a newline character to split the header, thereby injecting malicious content to...

5.3CVSS6.5AI score0.04569EPSS
Exploits0References1
OSV
OSV
added 2026/05/19 12:19 a.m.7 views

CLSA-2026-1779118869 Fix of 8 CVEs

SECURITY UPDATE: fix off-by-one out-of-bounds read in modproxyajp message getter functions - debian/patches/CVE-2026-33857-prereq.patch: prerequisite fix for ajpmsgcheckheader bounds check to keep msg-len within buffer - debian/patches/CVE-2026-33857.patch: fix off-by-one out-of-bounds read in...

8.8CVSS5.9AI score0.00654EPSS
Exploits2References1
SUSE Linux
SUSE Linux
added 2026/05/18 8:10 a.m.14 views

Security update for rmt-server

This update for rmt-server fixes the following issues CVE-2026-26961: rack: mismatch in header handling can allow to smuggle multipart content bsc1261398. CVE-2026-26962: rack: improper unfolding of folded multipart headers can lead to header injection or response splitting bsc1261471...

8.7CVSS5.8AI score0.0043EPSS
Exploits0References42
OSV
OSV
added 2026/05/13 8:53 a.m.6 views

CLSA-2026-1778254557 httpd: Fix of 8 CVEs

CVE-2026-24072: modrewrite/modsetenvif: use APEXPRFLAGRESTRICTED in htaccess to prevent reading server-side files via apexpr from .htaccess - CVE-2026-29169: moddavlock: NULL pointer dereference in davgenericrefreshlocks use dpscan instead of dp - CVE-2026-33006: modauthdigest: timing attack —...

8.8CVSS5.8AI score0.00654EPSS
Exploits2References1
OSV
OSV
added 2026/05/12 7:33 p.m.12 views

CLSA-2026-1778614426 httpd: Fix of 9 CVEs

CVE-2026-24072: fix modrewrite apexpr privilege escalation in htaccess - CVE-2026-28780: fix modproxyajp ajpmsgcheckheader buffer over-read - CVE-2026-29169: fix moddavlock NULL pointer dereference - CVE-2026-33006: fix modauthdigest timing attack - CVE-2026-33007: fix modauthnsocache NULL...

9.8CVSS5.9AI score0.01325EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/05/12 5:37 p.m.9 views

CVE-2026-33523

A flaw was found in httpd. When processing responses from an untrusted or compromised backend server, multiple modules fail to sanitize Carriage Return and Line Feed CRLF sequences in the HTTP status line. This issue leads to an HTTP response splitting attack. Mitigation Mitigation for this issue...

6.5CVSS5.6AI score0.00436EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/08 8:49 p.m.12 views

HTTP Response Splitting

Overview eventsource-encoder is an Encodes events as well-formed EventSource/Server Sent Event SSE messages Affected versions of this package are vulnerable to HTTP Response Splitting via unsanitized event and id fields in the encoding process. An attacker can inject arbitrary Server-Sent Events...

6.9CVSS6AI score0.00277EPSS
Exploits1References3
CVE
CVE
added 2026/05/08 3:27 p.m.19 views

CVE-2026-41683

CVE-2026-41683 affects i18next-http-middleware prior to 3.9.3. The root cause is that user-controlled language values (lng) were passed, via unsafe escaping, into the Content-Language header, potentially allowing HTTP response splitting or DoS depending on Node.js version. Older i18next (< 19....

8.6CVSS5.7AI score0.00327EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/08 3:27 p.m.30 views

CVE-2026-41683 HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

8.6CVSS0.00327EPSS
Exploits0References1
Rows per page
Query Builder