OPENSUSE-SU-2026:20784-1 Security update for nginx

This update for nginx fixes the following issues: - CVE-2026-1642: plain text data injection into the response from an upstream proxied server bsc1257675. - CVE-2026-27654: buffer overflow in the NGINX worker process via the ngxhttpdavmodule module bsc1260416. - CVE-2026-27784: NGINX worker memor...

SUSE-SU-2026:1761-1 Security update for nginx

This update for nginx fixes the following issues: - CVE-2026-1642: plain text data injection into the response from an upstream proxied server via MITM attack bsc1257675. - CVE-2026-27654: buffer overflow in the NGINX worker process via the ngxhttpdavmodule module bsc1260416. - CVE-2026-27784:...

MiracleLinux 8 : dotnet9.0-9.0.116-1.el8_10 (AXSA:2026-500:08)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-500:08 advisory. dotnet: .NET: Security Bypass and Denial of Service Vulnerability CVE-2026-26171 dotnet: .NET: Denial of Service via stack overflow CVE-2026-32203...

CVE-2026-39971 Serendipity: Host Header Injection leads to SMTP header injection via unvalidated HTTP_HOST

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipityisResponseClean is not...

EUVD-2026-22811

Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTPHOST in Message-ID email header...

GHSA-458G-Q4FH-MJ6R Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header

Summary Serendipity inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without any validation beyond CRLF stripping. An attacker who can control the Host header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC...

EUVD-2026-14885

NGINX Plus and NGINX Open Source have a vulnerability in the ngxmailsmtpmodule module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation...

CVE-2026-28753

CVE-2026-28753 affects NGINX Plus and NGINX Open Source through the ngx_mail_smtp_module. The vulnerability arises from improper handling of CRLF sequences in DNS responses, which could allow an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, enabling poten...

GO-2026-4333 Mailpit has an SMTP Header Injection via Regex Bypass in github.com/axllent/mailpit

Mailpit has an SMTP Header Injection via Regex Bypass in github.com/axllent/mailpit...

PT-2026-6508

Mailpit has an SMTP Header Injection via Regex Bypass in github.com/axllent/mailpit...

GHSA-54WQ-72MP-CQ7C Mailpit has an SMTP Header Injection via Regex Bypass

Vulnerability Report: SMTP Header Injection via Regex Bypass Vulnerable Code: mailpit/internal/smtpd/smtpd.go Executive Summary Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate RCPT TO and MAIL FROM addresses. An attacker can injec...

CVE-2026-23829

CVE-2026-23829 — Mailpit SMTP header injection via regex bypass. Mailpit’s SMTP server (prior to v1.28.3) fails to properly filter control characters in RCPT TO/MAIL FROM addresses due to a regex with an incomplete character class, allowing CR/LF bypass and header injection. The flaw stems from G...

PT-2026-3406

Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.28 Description Mailpit, an email testing tool and API for developers, has a header injection issue in its SMTP server. This is due to a flawed regular expression used to validate RCPT TO and MAIL FROM addresses,...

EUVD-2022-4710

Malicious code in bioql PyPI...

VMware vCenter SMTP Header Injection Vulnerability

VMware vCenter is a virtualization management software from VMware. An SMTP header injection vulnerability exists in VMware vCenter, which can be exploited by an attacker to manipulate notification emails for scheduled tasks...

CVE-2025-41250

VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks...

CVE-2025-41250 Header injection vulnerability

VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks...

CVE-2025-41250 Header injection vulnerability

VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate the notification emails sent for scheduled tasks...

SUSE CVE-2017-9801

When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers...

Introducing Periscope: Out-of-Band Vulnerability Detection Mechanism in Qualys WAS

Web applications and REST APIs can be susceptible to a certain class of vulnerabilities that can't be detected by a traditional HTTP request-response interaction. These vulnerabilities are challenging to find but provide a way for attackers to target otherwise inaccessible, internal systems. An...