CVE-2026-44242

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a...

Astra Linux – Vulnerability in python-tornado

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the provided “reason” phrase was used unescaped in HTTP headers where it could be used for header injection or in HTML on the default error page where it could be used for XSS attacks. This...

Duplicate Advisory: OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4qwc-c7g9-4xcw. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling...

CVE-2026-35633

OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send crafted HTTP error responses with large bodies to remote media endpoints, causing the application t...

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the http.Error function. An attacker can obtain sensitive database credentials by triggering database errors through authenticated HTTP requests. Remediation Upgrade...

CVE-2026-22025

CryptoLib’s memory-leak vulnerability affects the KMC client: when a non-200 HTTP response is returned, cryptography_encrypt() and cryptography_decrypt() fail to free previously allocated buffers, leaking ~467 bytes per failed request and risking memory exhaustion with repeated failures. This occ...

CVE-2025-61234

CVE-2025-61234 affects Dataphone A920 (v2025.07.161103). A misconfigured access control exposes a service on port 8888 on the local network without authentication, allowing TCP socket interaction. An HTTP request to port 8888 can trigger an error response that reveals Paytef dataphone packet head...

The software for managing identities and access control in Keycloak has vulnerabilities. This vulnerability stems from the lack of name filtering during the generation of a 404 HTTP error page. As a result, attackers can execute any desired script.

The vulnerability of the Keycloak identity and access management software lies in the absence of name filtering during the generation of a 404 HTTP error page. As a result, the name of the non-existent webpage is passed unchanged to the generated error page. Exploiting this vulnerability allows a...

CVE-2020-17457

Fujitsu ServerView Suite iRMC before 9.62F allows XSS. An authenticated attacker can store an XSS payload in the PSCUFILEINIT field of a Save Configuration XML document. The payload is triggered in the HTTP error response pages...

DEBIAN-CVE-2018-19131

Squid before 4.4 has XSS via a crafted X.509 certificate during HTTPS error page generation for certificate errors...

CVE-2018-10624

In Johnson Controls Metasys System Versions 8.0 and prior and BCPro BCM all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information...

PYSEC-2017-45

Cross-site scripting XSS vulnerability in IPython 3.x before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/contents path...

Cannot open PDF files downloaded from Secure Web

Issue: Error while opening a PDF file from Secure Web: "Invalid PDF format."...

UBUNTU-CVE-2016-4561

Cross-site scripting XSS vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message...

Red Hat JBoss Operations Network HTTP Error Page Cross-Site Scripting Vulnerability

JBoss Operations Network is open source network management software based on Java EE. An input validation vulnerability in the JBoss Operations Network HTTP error page allows remote attackers to exploit the vulnerability to inject malicious script or HTML code, which can be used to obtain sensiti...

Cross site scripting

Cross-site scripting XSS vulnerability in the web server component in Philips Electronics VOIP841 DECT Phone with firmware 1.0.4.50 and 1.0.4.80 allows remote attackers to inject arbitrary web script or HTML via the request URL, which is not properly handled in a 404 web error page...