60 matches found
CVE-2026-48588
CVE-2026-48588 affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The issue arises in UpdateCacheMiddleware and the cache_page() decorator, which cache responses that vary on cookies when unrelated cookies are present, allowing remote attackers to read private data from the shared cache. Earl...
undici: Undici: Information disclosure due to improper cache-control header parsing
A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from...
undici: Undici: Information disclosure due to improper cache-control header parsing
A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from...
Deserialization of Untrusted Data
Overview software.amazon.jdbc:aws-advanced-jdbc-wrapper is an Amazon Web Services AWS Advanced JDBC Wrapper Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the CachedResultSet deserialization path in the RemoteQueryCachePlugin. An attacker can execute...
PT-2026-54642
Name of the Vulnerable Software and Affected Versions AWS Advanced JDBC Wrapper versions 3.3.0 through 4.0.0 Description Deserialization of untrusted data in the RemoteQueryCachePlugin allows an actor with write access to the shared cache infrastructure to execute arbitrary code on application...
CVE-2026-10140
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials,...
CVE-2026-10140 Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials,...
Linux Distros Unpatched Vulnerability : CVE-2026-9678
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified...
SUSE CVE-2026-9678
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
EUVD-2026-37766
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass...
GHSA-PR7R-676H-XCF6 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Impact Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Impact Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
CVE-2026-9678
A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from...
CVE-2026-50202 Steeltoe's static JWKS cache shared across schemes and never invalidated
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.0, Steeltoe.Security.Authentication.JwtBearer prior to version 4.2.0, and...
Use of Cache Containing Sensitive Information
Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the cache interceptor. An attacker can obtain another user's authenticated response data by exploiting whitespace-padded...
CVE-2026-9678
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
CVE-2026-9678
Undici (node) vulnerability CVE-2026-9678: in shared-cache mode, the cache interceptor may misclassify responses as cacheable when Cache-Control uses whitespace-padded private/no-cache directives (e.g., private=" authorization" or no-cache="\tauthorization"). The whitespace is preserved by the pa...
CVE-2026-9678 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
CVE-2026-9678 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
PT-2026-50515
Name of the Vulnerable Software and Affected Versions undici versions prior to 7.28.0 undici versions prior to 8.5.0 Description The cache interceptor incorrectly classifies certain responses as cacheable when the upstream Cache-Control header contains whitespace-padded qualified private or...