52490 matches found
Important: nodejs20
Issue Overview: Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted:...
MAL-2026-2244 Malicious code in fluxhttp (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 2669b72303bd592ba1633febc04bca1f0a8804d8546baf21b5f3f12baaa80f29 Malicious clone of a legitimate package. When using it, the code attempts to download and execute remote code. In on of the incarnations, the malicious code wa...
CVE-2026-22735 vulnerabilities
Vulnerabilities for packages: kafbat-ui, apache-nifi-registry, kayenta, nacos-docker, apache-activemq-fips, camunda-zeebe, thingsboard, kayenta-fips, camunda, kafbat-ui-fips, apache-activemq, nacos...
GHSA-CG6C-Q2HX-69H7 OpenClaw: Plivo V2 verified replay identity drifts on query-only variants
Summary Before v2026.3.23, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate baseUrl + nonce, but the replay key was derived from the full verification URL including the query string, so unsigned query-on...
Mirai Malware Evolves into Hundreds of Variants Driving Botnet Growth
Mirai malware evolves into hundreds of variants, driving botnet growth, including Aisuru and KimWolf, powering large-scale attacks, and increasing risks to vulnerable IoT devices worldwide...
CVE-2026-32004
OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers can bypass plugin route authentication checks by submitti...
Linux Distros Unpatched Vulnerability : CVE-2026-27980
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image...
CVE-2026-1525 undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: Applications...
AWS VDP: SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet)
Researchers This vulnerability was discovered through collaborative security research. Researchers: - █████ - █████████ - █████████ --- Summary AWS WAF fails to detect certain SQL injection payload variants. These payloads bypass the AWS WAF SQL injection detection rules and reach the backend...
CVE-2026-3337
CVE-2026-3337 documents a timing side-channel in AES-CCM decryption within AWS-LC affecting EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm. An unauthenticated user could potentially determine authentication tag validity via timing analysis. The impact and remediation are described by the a...
RUSTSEC-2026-0043 Timing Side-Channel in AES-CCM Tag Verification in AWS-LC
Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP CIPHER API: EVPaes128ccm, EVPaes192ccm, and EVPaes256ccm. Customers of AWS servic...
Analysis of LLMs against Prompt Injection and Jailbreak Attacks
Large Language Models LLMs are widely deployed in real-world systems. Given their broader applicability, prompt engineering has become an efficient tool for resource-scarce organizations to adopt LLMs for their own purposes. At the same time, LLMs are vulnerable to prompt-based attacks. Thus,...
GHSA-G9Q4-QJX4-2V7Q vulnerabilities
Vulnerabilities for packages: mc, ingress-nginx-controller, gitlab-rails-ce-fips, gitlab-runner-fips, qemu-guesthelper, tfsec, bom, terraform-fips, osv-scanner, rancher-helm, kubernetes-dashboard, flux-notification-controller-fips, loki, gatekeeper, ferretdb, consul-fips, gpu-operator-fips,...
Trojan-Resilient NTT: Protecting against Control Flow and Timing Faults on Reconfigurable Platforms
Number Theoretic Transform NTT is the most essential component for polynomial multiplications used in lattice-based Post-Quantum Cryptography PQC algorithms such as Kyber, Dilithium, NTRU etc. However, side-channel attacks SCA and hardware vulnerabilities in the form of hardware Trojans may alter...
Dissecting UAT-8099: New persistence mechanisms and regional focus
Cisco Talos has identified a new campaign by UAT-8099, active from late 2025 to early 2026, that is targeting vulnerable Internet Information Services IIS servers across Asia with a specific focus on victims in Thailand and Vietnam. Analysis confirms significant operational overlaps between this...
CVE-2025-14157 vulnerabilities
Vulnerabilities for packages: gitlab-workhorse-ce, gitlab-workhorse-ce-fips, gitlab-rails-ce-fips, gitlab-rails-ce...
CVE-2026-24785
Clatter is a nostd compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule Noise Protocol Framework...
CVE-2026-24785 Clatter has a PSK Validity Rule Violation issue
Clatter is a nostd compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule Noise Protocol Framework...
CVE-2026-24785
Clatter is a nostd compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule Noise Protocol Framework...
Exploit for Out-of-bounds Read in Libpng
Spring Boot Minimal Images PoC Dummy Spring Boot application...