CVE-2026-42926

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxyhttpversion to 2, and also uses proxysetbody, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support EoTS are not...

Exploit for Uncontrolled Resource Consumption in Ietf Http

!/usr/bin/env python3 """ Evidencia CVE-2023-44487 HTTP/2 Rapi...

DEBIAN-CVE-2026-40394

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service daemon panic for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is...

PT-2026-27961

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.4.0 and earlier Mattermost versions 11.3.1 and earlier Mattermost versions 11.2.3 and earlier Mattermost versions 10.11.11 and earlier Description The software does not adequately limit the rate of login requests. This...

Eugene AdGuard Home 授权问题漏洞

Eugene AdGuard Home is an open-source application developed by Eugene. It provides a full-network software solution for blocking advertisements and tracking. Versions of Eugene AdGuard Home prior to 0.107.73 had an authorization issue vulnerability. This vulnerability stemmed from an unverified...

Debian dsa-6120 : libtomcat10-embed-java - security update

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6120 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6120-1 [email protected]...

MiracleLinux 8 : haproxy-1.8.23-3.el8 (AXSA:2020-267:02)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2020-267:02 advisory. haproxy: HTTP request smuggling issue with transfer-encoding header containing an obfuscated chunked value CVE-2019-18277 haproxy: HTTP/2...

Astra Linux - уязвимость в apache2

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue...

USN-7932-1 libsoup3 vulnerability

It was discovered libsoup incorrectly handled memory when handling specific HTTP/2 read and cancel sequences. An attacker could possibly use this issue to cause a denial of service...

Important: libsoup3

Issue Overview: A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw could...

Pingora update for MadeYouReset HTTP/2 vulnerability

Pingora deployments that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can for...

Medium: python-h2

Issue Overview: h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to...

CVE-2025-9784 Undertow: undertow madeyoureset http/2 ddos vulnerability

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts...

Linux Distros Unpatched Vulnerability : CVE-2015-5168

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and attack vectors, a different...

Exploit for CVE-2025-8671

PoC-CVE-2025-8671-MadeYouReset-HTTP-2 PoC para validar vulnera...

Apache Tomcat Denial of Service Vulnerability (CNVD-2025-19106)

Apache Tomcat is the United States Apache Apache Foundation of a lightweight Web application server for the implementation of Servlet and JavaServer Page JSP support. Apache Tomcat suffers from a denial of service vulnerability due to a forced reset attack in the HTTP/2 implementation. An attacke...

Linux Distros Unpatched Vulnerability : CVE-2025-49630

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients...

Apache Tomcat 10.1.0.M1 < 10.1.44

The version of Tomcat installed on the remote host is prior to 10.1.44. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat10.1.44security-10 advisory. - Tomcat's HTTP/2 implementation was vulnerable to the made you reset attack. The denial of service typically...

CVE-2025-41414

When HTTP/2 client and server profile is configured on a virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

USN-7469-4 h2o vulnerability

USN-7469-1 fixed a vulnerability in Apache Traffic Server. This update provides the corresponding updates for H2O. Original advisory details: It was discovered that Apache Traffic Server exhibited poor server resource management in its HTTP/2 protocol. An attacker could possibly use this issue to...