Lucene search
K

79 matches found

Cvelist
Cvelist
added yesterday5 views

CVE-2026-10051

In Eclipse Jetty, a first HTTP/1.1 request with trailers causes the server to retain the trailers in subsequent requests performed over the same connection. Subsequent request that do not have trailers report the trailers of the first request. Subsequent request that do have trailers report the...

6.9CVSS0.00253EPSS
Exploits1References1
CVE
CVE
added yesterday8 views

CVE-2026-10051

In Eclipse Jetty, a first HTTP/1.1 request with trailers causes the server to retain the trailers in subsequent requests performed over the same connection. Subsequent request that do not have trailers report the trailers of the first request. Subsequent request that do have trailers report the...

7.5CVSS6.1AI score0.00253EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added yesterday4 views

EUVD-2026-43645

In Eclipse Jetty, a first HTTP/1.1 request with trailers causes the server to retain the trailers in subsequent requests performed over the same connection. Subsequent request that do not have trailers report the trailers of the first request. Subsequent request that do have trailers report the...

7.5CVSS6.1AI score0.00253EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2026/06/05 12:0 a.m.18 views

Linux Distros Unpatched Vulnerability : CVE-2026-40898

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client a...

7.5CVSS5.5AI score0.00279EPSS
Exploits0References3
OSV
OSV
added 2026/06/04 7:16 p.m.11 views

DEBIAN-CVE-2026-40898

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

7.5CVSS5.4AI score0.00279EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/06/04 5:43 p.m.10 views

CVE-2026-40898

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

7.5CVSS5.4AI score0.00279EPSS
Exploits0
EUVD
EUVD
added 2026/06/04 5:43 p.m.11 views

EUVD-2026-34312

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

5.3CVSS6.8AI score0.00338EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/04 5:43 p.m.9 views

CVE-2026-40898 quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

5.3CVSS5.8AI score0.00279EPSS
Exploits0References2
OSV
OSV
added 2026/06/03 8:59 p.m.9 views

GHSA-VVGJ-X9JQ-8CJ9 quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an http.Header for t...

5.3CVSS5.8AI score0.00279EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/06/03 8:59 p.m.27 views

quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an http.Header for t...

7.5CVSS6.8AI score0.00279EPSS
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.17 views

PT-2026-46115

Name of the Vulnerable Software and Affected Versions quic-go affected versions not specified Description An attacker can trigger excessive memory allocation in the HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame. This frame decodes into a large trailer field...

7.5CVSS5.8AI score0.00279EPSS
Exploits0References21
OSV
OSV
added 2026/05/19 7:25 p.m.8 views

GHSA-RF5Q-VWXW-GMRF Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder

Summary A worker-pinning denial of service in Bandit's HTTP/1 chunked transfer decoder. Any unauthenticated client that sends a Transfer-Encoding: chunked request whose body ends with a trailer field RFC 9112 §7.1.2 explicitly permits this causes the connection's worker process to spin forever in...

8.7CVSS5.9AI score0.00637EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/05/19 7:25 p.m.14 views

Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder

Summary A worker-pinning denial of service in Bandit's HTTP/1 chunked transfer decoder. Any unauthenticated client that sends a Transfer-Encoding: chunked request whose body ends with a trailer field RFC 9112 §7.1.2 explicitly permits this causes the connection's worker process to spin forever in...

8.7CVSS5.9AI score0.00637EPSS
Exploits1References6Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 1:36 p.m.5 views

CVE-2026-39806

Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':doreadchunkeddata!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is...

8.7CVSS5.8AI score0.00637EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.10 views

PT-2026-40608

Name of the Vulnerable Software and Affected Versions bandit versions 1.6.1 through 1.11.0 Description An infinite loop in the do read chunked data!/5 function within lib/bandit/http1/socket.ex allows unauthenticated remote attackers to cause a denial of service via worker process exhaustion. The...

8.7CVSS5.8AI score0.00637EPSS
Exploits1References9
EUVD
EUVD
added 2026/04/22 12:54 a.m.5 views

EUVD-2026-24581

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's STREAMING-UNSIGNED-PAYLOAD-TRAILER code path allows any user who knows a valid access key to write arbitrary...

8.8CVSS5.9AI score0.00349EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/22 12:49 a.m.9 views

CVE-2026-40344 MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler PutObjectExtractHandler allows any user who knows a valid access key to write...

8.8CVSS6.1AI score0.00418EPSS
Exploits0References3
Veracode
Veracode
added 2026/04/04 5:36 a.m.6 views

Memory Exhaustion

aiohttp is vulnerable to Memory Exhaustion. The vulnerability is due to insufficient restrictions in header/trailer handling, where unlimited trailer headers are accepted and an attacker can send a request or response with many trailers to cause uncapped memory usage...

7.5CVSS5.9AI score0.0044EPSS
Exploits0References3Affected Software2
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.5 views

CVE-2026-32873

ewe is a Gleam web server. Versions 0.8.0 through 3.0.4 contain a bug in the handletrailers function where rejected trailer headers forbidden or undeclared cause an infinite loop. When handletrailers encounters such a trailer, three code paths lines 520, 523, 526 recurse with the original buffer...

7.5CVSS6.1AI score0.00599EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/20 1:18 a.m.25 views

CVE-2026-32881 ewe has an Overly Permissive List of Allowed Inputs

ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9...

5.3CVSS0.00386EPSS
Exploits1References4
Rows per page
Query Builder