| CVE-2026-50630 |
2026-06-12 |
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage … |
| CVE-2026-44489 |
2026-06-11 |
Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Obje… |
| CVE-2026-49214 |
2026-06-11 |
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulner… |
| CVE-2026-43966 |
2026-06-08 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields … |
| CVE-2026-48596 |
2026-06-02 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_para… |
| CVE-2026-38967 |
2026-06-02 |
CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values. |
| CVE-2026-38978 |
2026-06-02 |
transmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths. |
| CVE-2026-47675 |
2026-05-28 |
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters tha… |
| CVE-2026-9658 |
2026-05-28 |
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths.
The header injection rule was ineffective at blocking header injections in the re… |
| CVE-2026-44214 |
2026-05-26 |
eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage be… |
| CVE-2026-42578 |
2026-05-13 |
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicit… |
| CVE-2026-7010 |
2026-05-11 |
HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.
The unvalidated inputs are the method and URI in the request line, the URL host th… |
| CVE-2026-42874 |
2026-05-11 |
Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n seq… |
| CVE-2026-41683 |
2026-05-08 |
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language… |
| CVE-2026-43870 |
2026-05-05 |
Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), … |
| CVE-2026-42035 |
2026-04-24 |
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attack… |
| CVE-2026-39971 |
2026-04-15 |
Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMT… |
| CVE-2026-40175 |
2026-04-10 |
Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-part… |
| CVE-2026-34767 |
2026-04-04 |
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handler… |
| CVE-2026-34715 |
2026-04-02 |
ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without valid… |