CVE-2026-48862

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSHPROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decodepushpromiseheadersandaddresponse/5 inserts a :reservedremote entry...

CVE-2026-48862 Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSHPROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decodepushpromiseheadersandaddresponse/5 inserts a :reservedremote entry...

EEF-CVE-2026-48862 Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency

Summary Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSHPROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decodepushpromiseheadersandaddresponse/5 inserts a :reservedremote...

JLSEC-2026-416 When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of...

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit 1000, libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead lea...

Astra Linux - уязвимость в curl

When an application instructs libcurl to enable HTTP/2 server push, and the number of received headers for the push exceeds the maximum allowed limit 1000, libcurl abends the server push. During this process, libcurl inadvertently does not free all of the previously allocated headers; instead, it...

curl: HTTP/2 server push accepts a non-authoritative :scheme=https over cleartext h2c, enabling HTTPS cache-key poisoning

Summary: I found that libcurl 8.19.0 accepts an HTTP/2 pushed stream on a cleartext h2c connection even when the server sends :scheme=https in PUSHPROMISE. In lib/http2.c, settransferurl builds the pushed handle URL from the server-supplied :scheme, :authority, and :path, but PUSHPROMISE validati...

Siemens SIMATIC S7-1500 Missing Release of Resource after Effective Lifetime (CVE-2024-2398)

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit 1000, libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead lea...

EUVD-2013-1723

Malware in sbrugna...

EUVD-2010-3172

Malware in sbrugna...

EUVD-2024-27350

Malicious code in bioql PyPI...

MAL-2025-33005 Malicious code in server-push-webpack-plugin (npm)

The package server-push-webpack-plugin was found to contain malicious code...

Malicious code in server-push-webpack-plugin (npm)

The package server-push-webpack-plugin was found to contain malicious code...

TencentOS Server 3: curl (TSSA-2024:0408)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:0408 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

Azure Linux 3.0 Security Update: cmake / curl / mysql (CVE-2024-2398)

The version of cmake / curl / mysql installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-2398 advisory. - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.6 is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.6 is vulnerable to multiple Operator package issues. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for...

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-2662)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP8 : curl (EulerOS-SA-2024-2460)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowe...

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-2460)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS Virtualization 2.12.1 : curl (EulerOS-SA-2024-2302)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the...

EulerOS Virtualization 2.12.0 : curl (EulerOS-SA-2024-2322)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the...