Security News

Cybersecurity news aggregator

← Back to News Browse all tags

http

21 articles with this tag

INFO
RHSA-2026:25090: Important: httpd:2.4 security update
Red Hat Errata • Jun 10, 2026
 MEDIUM
CVE-2025-60876 BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
Microsoft Security Response Center • Jun 03, 2026
 MEDIUM
CVE-2026-6324 Libsoup: libsoup: http request smuggling via unsigned to signed conversion error
Microsoft Security Response Center • Jun 02, 2026
 HIGH
CVE-2025-23167 A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
Microsoft Security Response Center • May 31, 2026
 LOW
USN-8343-1: multipart vulnerability
Ubuntu Security • May 28, 2026
 MEDIUM
USN-8338-1: Apache HTTP Server vulnerabilities
Ubuntu Security • May 28, 2026
 MEDIUM
CVE-2026-9256 NGINX ngx_http_rewrite_module vulnerability
Microsoft Security Response Center • May 27, 2026
 MEDIUM
CVE-2026-44431 urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
Microsoft Security Response Center • May 16, 2026
 MEDIUM
RHSA-2026:15968: Moderate: libsoup3 security update
Red Hat Errata • May 11, 2026
 MEDIUM
CVE-2026-2708 Libsoup: libsoup: http request smuggling via duplicate content-length headers
Microsoft Security Response Center • Apr 29, 2026
 MEDIUM
CVE-2026-39882 OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies
Microsoft Security Response Center • Apr 11, 2026
 MEDIUM
CVE-2026-1965 bad reuse of HTTP Negotiate connection
Microsoft Security Response Center • Apr 14, 2026
 MEDIUM
CVE-2026-3644 Incomplete control character validation in http.cookies
Microsoft Security Response Center • Apr 15, 2026
 MEDIUM
CVE-2025-62718 Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
Microsoft Security Response Center • Apr 15, 2026
 MEDIUM
CVE-2026-40175 Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Microsoft Security Response Center • Apr 15, 2026
 HIGH
HAProxy HTTP/3 -> HTTP/1 Desync: Cross-Protocol Smuggling via a Standalone QUIC FIN (CVE-2026-33555)
Reddit r/netsec • Apr 16, 2026
 HIGH
Cisco Identity Services Engine Remote Code Execution Vulnerabilities
Cisco Security • Apr 15, 2026
 MEDIUM
Cisco Secure Web Appliance Authentication Bypass Vulnerability
Cisco Security • Apr 15, 2026
 MEDIUM
Fixing request smuggling vulnerabilities in Pingora OSS deployments
Cloudflare Blog • Mar 09, 2026
 MEDIUM
The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting
Reddit r/netsec • Feb 27, 2026
 INFO
Http11Probe - Probe for Http 1.1 compliance
Reddit r/netsec • Feb 10, 2026