CVE-2026-4132

CVE-2026-4132 affects the WordPress HTTP Headers plugin up to version 1.19.2. The vulnerability arises from insufficient validation of the htpasswd path (hh_htpasswd_path) and lack of sanitization of the hh_www_authenticate_user value, allowing an authenticated Administrator+ to cause Remote Code...

Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm

hi guys, commit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 as-of 2026-01-31 contact: GitHub Security Advisory https://github.com/distribution/distribution/security/advisories/new summary in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the process that parses WWW-Authenticate challenges from an upstream registry. An attacker can obtain upstream credentials by manipulating the bearer realm URL to redirect authentication requests to a...

CVE-2026-33540 Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used...

CVE-2026-33540

CVE-2026-33540 affects the Distribution toolkit. In prior releases (before 3.1.0) and in pull-through cache mode, it parses WWW-Authenticate challenges to discover token auth endpoints, taking the realm URL from a bearer challenge without validating it against the upstream host. An attacker-contr...

CVE-2026-33540 Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used...

CVE-2026-24845

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI image reference. malcontent uses...

curl: Functional Regression in Digest Authentication: Failure to handle optional spaces and escaped quotes

Summary A recent migration of the Digest authentication parsing logic to the curlxstr strparse API introduced two functional parsing regressions in lib/vauth/digest.c. 1. Optional Whitespace OWS Handling The current implementation fails to skip optional whitespace after comma delimiters in...

Amazon Linux 2023 : libsoup3, libsoup3-devel (ALAS2023-2025-1233)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1233 advisory. A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 Unauthorized HTTP response containing ...

EUVD-2022-2732

Malicious code in bioql PyPI...

EulerOS 2.0 SP13 : libsoup (EulerOS-SA-2025-2136)

According to the versions of the libsoup packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receiv...

EulerOS 2.0 SP13 : libsoup (EulerOS-SA-2025-2146)

According to the versions of the libsoup packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receiv...

OESA-2025-2279 libsoup3 security update

Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. Security Fixes: A denial-of-service vulnerability has been identified in the libso...

EulerOS 2.0 SP12 : libsoup (EulerOS-SA-2025-2046)

According to the versions of the libsoup packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receiv...

Linux Distros Unpatched Vulnerability : CVE-2021-4180

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this...

SUSE CVE-2025-51471

Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint...

PYSEC-2025-147

Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint...

AZL-61910 CVE-2025-4476 affecting package libsoup for versions less than 3.4.4-7

A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 Unauthorized HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed...

libsoup 代码问题漏洞

libsoup is a GNOME HTTP client/server library from the GNOME Project. A code issue vulnerability exists in libsoup, which stems from the fact that handling certain constructs of the WWW-Authenticate header may cause a client application to crash, potentially leading to a denial of service attack...

RHEL 6 : tomcat (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - tomcat: Information Disclosure when using VirtualDirContext CVE-2017-12616 - Apache Tomcat 5.5.0 through...