CVE-2026-48710

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header...

CVE-2026-48710

Starlette (Python ASGI framework) contains a Host header validation issue in versions before 1.0.1. The HTTP Host header was not validated when reconstructing request.url, while routing relies on the raw path and request.url, allowing a malformed Host header to make request.url.path differ from t...

CVE-2026-48710 Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header...

CVE-2026-7446

A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyzeresults/filterresults/exportresults/compareresults/scandirectory/createrule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command...

Use of Client-Side Authentication

Overview Affected versions of this package are vulnerable to Use of Client-Side Authentication in the VCS oauth. An attacker can gain unauthorized access by exploiting weaknesses in the GitLab login mechanism or by deriving a JWT authentication token without requiring a server reboot. Remediation...

Use of Client-Side Authentication

Overview Affected versions of this package are vulnerable to Use of Client-Side Authentication in the VCS oauth. An attacker can gain unauthorized access by exploiting weaknesses in the GitLab login mechanism or by deriving a JWT authentication token without requiring a server reboot. Remediation...

PT-2025-43218

Name of the Vulnerable Software and Affected Versions Email Attachment by Order Status & Products versions n/a through 1.0.1 Description The software contains a flaw related to improper input handling during web page generation, which allows for Reflected Cross-site Scripting XSS. This issue...

Security Bulletin: Astronomer with IBM is vulnerable to weak encryption due to the jose package (CVE-2025-45767)

Summary Jose is used by Astronomer with IBM as part of the JSON encryption functionality. Vulnerability Details CVEID:CVE-2025-45767 DESCRIPTION: jose v6.0.10 was discovered to contain weak encryption. NOTE: this is disputed by a third party because the claim of "do not meet recommended security...

PT-2025-33514 · Unknown · Buttercup Buttercup-Browser-Extension

Name of the Vulnerable Software and Affected Versions: Buttercup buttercup-browser-extension versions up to 0.14.2 Description: A vulnerability exists in Buttercup buttercup-browser-extension up to version 0.14.2 due to improper access controls. The issue is remotely exploitable, but the complexi...

CVE-2017-20199

Buttercup buttercup-browser-extension

Security Bulletin: Astronomer with IBM is vulnerable to request smuggling due to the h11 package (CVE-2025-43859).

Summary The h11 package is used by Astronomer with IBM as part of request processing. This addresses the vulnerability. Vulnerability Details CVEID:CVE-2025-43859 DESCRIPTION: h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in...

Security Bulletin: Astronomer with IBM is vulnerable to denial of service due to the Netty package ( CVE-2024-47535)

Summary Netty is used by Astronomer with IBM as part of network processing. Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe...

Security Bulletin: Astronomer with IBM is vulnerable to memory exhaustion due to the Net::IMAP package (CVE-2025-43857)

Summary Net::IMAP is used by Astronomer with IBM as part of the IMAP client functionality. Vulnerability Details CVEID:CVE-2025-43857 DESCRIPTION: Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a...

PT-2025-5350

Name of the Vulnerable Software and Affected Versions CometBFT versions prior to 0.38.17 CometBFT versions prior to 1.0.1 Description CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the blocksync protocol, peers send their base and latest...

PT-2025-5578 · Plonky2 · Plonky2

Name of the Vulnerable Software and Affected Versions: Plonky2 versions prior to 1.0.1 Description: The issue concerns lookup tables in Plonky2, a SNARK implementation based on techniques from PLONK and FRI. If a lookup table's length is not divisible by 26, which is calculated as floornum routed...

Apache SeaTunnel Web Authentication vulnerability

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affect...

PT-2024-18179

Name of the Vulnerable Software and Affected Versions @dfinity/identity versions prior to 1.0.1 Description The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret...

PT-2024-15215

Name of the Vulnerable Software and Affected Versions Macro-Bel versions prior to V.1.0.1 Description The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows Reflected XSS. Recommendations For versions prior to V.1.0.1,...

PT-2023-10254 · Unknown · Custom-Content-Width

Name of the Vulnerable Software and Affected Versions: Custom-Content-Width version 1.0 Description: A vulnerability was found in Custom-Content-Width, affecting the function override content width/register settings of the file custom-content-width.php. This issue leads to cross-site scripting an...

Authentication Bypass

Overview omniauth-apple is an OmniAuth strategy for Sign In with Apple. Affected versions of this package are vulnerable to Authentication Bypass. Attackers could fake their email address during authentication. Note: This vulnerability impacts only applications using the omniauth-apple strategy o...