|
241
|
7.5 |
HIGH
Network
|
-
|
-
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuf…
New
|
CWE-770
CWE-789
Allocation of Resources Without Limits or Throttling
Memory Allocation with Excessive Size Value
|
CVE-2026-42582
|
2026-05-15 01:26 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
242
|
7.5 |
HIGH
Network
|
-
|
-
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) b…
New
|
CWE-400
CWE-770
Uncontrolled Resource Consumption
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42583
|
2026-05-15 01:26 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
243
|
5.8 |
MEDIUM
Network
|
-
|
-
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both…
New
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-42581
|
2026-05-15 01:26 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
244
|
7.3 |
HIGH
Network
|
-
|
-
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() onc…
New
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-42584
|
2026-05-15 01:26 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
245
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks…
New
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-42585
|
2026-05-15 01:26 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
246
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limi…
New
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-44248
|
2026-05-15 01:26 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
247
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Hermes WebUI prior to 0.51.44 - Release T contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted ses…
New
|
CWE-22
Path Traversal
|
CVE-2026-22677
|
2026-05-15 01:24 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
248
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-45228
|
2026-05-15 01:24 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
249
|
8.8 |
HIGH
Network
|
-
|
-
|
Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui…
New
|
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-45229
|
2026-05-15 01:24 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
250
|
6.1 |
MEDIUM
Network
|
-
|
-
|
Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name fiel…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-41932
|
2026-05-15 01:24 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
