3 matches found
CVE-2026-49853 Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient
Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, SimpleAsyncHTTPClient shallow-copied redirected requests and removed only the Host header, leaving Authorization, authusername, authpassword, and authmode in place when a redirect changed scheme, host, or port...
CVE-2026-41412 alf.io vulnerable to Arbitrary File Read and Exfil via simpleHttpClient Extension Script
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client simpleHttpClient into every extension script's scope. The postFileAndSaveResponse method accep...
CVE-2026-41412 alf.io vulnerable to Arbitrary File Read and Exfil via simpleHttpClient Extension Script
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client simpleHttpClient into every extension script's scope. The postFileAndSaveResponse method accep...