pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

EUVD-2026-32016

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header...

CVE-2026-44844 eml_parser: Recursion DoS via nested message/rfc822 attachments

emlparser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.getrawbodytext recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who ca...

OESA-2026-2423 perl-Authen-SASL security update

Authen::SASL::Perl is the pure Perl implementation of SASL mechanisms in the Authen::SASL framework, At the time of this writing it provides the client part implementation for the following SASL mechanisms. Security Fixes: Authen::SASL::Perl::DIGESTMD5 versions 2.04 through 2.1800 for Perl...

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

EUVD-2026-29951

Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder...

Security update for perl-CryptX (important)

openSUSE Security Update: Security update for perl-CryptX Announcement ID: openSUSE-SU-2026:0170-1 Rating: important References: 1244472 1262697 Cross-References: CVE-2025-40914 CVE-2026-41564 Affected Products: openSUSE Backports SLE-15-SP7 An update that fixes two vulnerabilities is now...

CVE-2026-43964

A flaw was found in Postfix. This issue occurs when processing enhanced status codes, specifically an enhanced status code that lacks text following the third number. Depending on the configuration of the server, this allows a remote attacker to cause a buffer over-read of only 1 byte, leading to...

CVE-2026-44379

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues o...

CLSA-2026-1778661102 ruby: Fix of CVE-2023-28756

CVE-2023-28756: fix ReDoS in Time.rfc2822 by linearizing the RFC2822 parser regex in lib/time.rb to prevent quadratic backtracking on crafted invalid input...

CVE-2026-42499

CVE-2026-42499 affects the net/mail package’s consumePhrase routine, where pathological inputs can trigger DoS due to quadratic string concatenation when parsing RFC 5322 email addresses. This is documented across multiple feeds (NVD, CVE list, Debian, CIRCL, OSV GO-2026-4977, vulnrichment), indi...

GHSA-38F8-5428-X5CV Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding

Summary Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. Details Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: chunked, identity" is present. According to RFC...

PT-2026-38377

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.2.13.Final Netty versions prior to 4.1.133.Final Description Netty incorrectly parses malformed Transfer-Encoding headers, which can lead to request smuggling attacks. Specifically, the framework incorrectly marks a...

Linux Distros Unpatched Vulnerability : CVE-2026-43186

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ipv6: ioam: fix heap buffer overflow in ioam6filltracedata On the receive path, ioam6filltracedata uses trace-nodelen to decide how much data to write for each...

CVE-2026-40562

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An...

Server-side Request Forgery (SSRF)

Overview requests-hardened is an A library that overrides the default behaviors of the requests library, and adds new security features. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the URL filtering process. An attacker can access internal services and...

CVE-2026-43057

In the Linux kernel, the following vulnerability has been resolved: net: correctly handle tunneled traffic on IPV6CSUM GSO fallback NETIFFIPV6CSUM only advertises support for checksum offload of packets without IPv6 extension headers. Packets with extension headers must fall back onto software...

Amazon Linux 2023 : aws-nitro-tpm-tools (ALAS2023-2026-1610)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1610 advisory. time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack...

Amazon Linux 2023 : librsvg2, librsvg2-devel, librsvg2-tools (ALAS2023-2026-1591)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1591 advisory. time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack...