News & Sicurezza
Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.
24696 risultati
CVE ID :CVE-2026-54280 Published : June 22, 2026, 4:40 p.m. | 1 hour, 3 minutes ago Description :AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54278 Published : June 22, 2026, 4:38 p.m. | 1 hour, 5 minutes ago Description :AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case). This vulnerability is fixed in 3.14.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54277 Published : June 22, 2026, 4:37 p.m. | 1 hour, 6 minutes ago Description :AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54276 Published : June 22, 2026, 4:36 p.m. | 1 hour, 7 minutes ago Description :AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse. This vulnerability is fixed in 3.14.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54275 Published : June 22, 2026, 4:34 p.m. | 1 hour, 9 minutes ago Description :AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check. This vulnerability is fixed in 3.14.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54274 Published : June 22, 2026, 4:33 p.m. | 1 hour, 10 minutes ago Description :AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54279 Published : June 22, 2026, 4:32 p.m. | 1 hour, 11 minutes ago Description :AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() lose their host-only status. This vulnerability is fixed in 3.14.1. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42127 Published : June 22, 2026, 4:31 p.m. | 1 hour, 12 minutes ago Description :The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-50269 Published : June 22, 2026, 4:30 p.m. | 1 hour, 13 minutes ago Description :AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54269 Published : June 22, 2026, 4:23 p.m. | 1 hour, 20 minutes ago Description :protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names such as $type when loaded through protobufjs JSON/reflection descriptors, and service methods whose generated helper name is rpcCall. When affected message or service types were used, protobufjs could read schema-controlled data where it expected an own-property helper, reflected type metadata, or the base RPC helper. This could cause deterministic exceptions or recursive calls in affected decode post-checks, verification, object conversion, reflected JSON serialization, or protobufjs RPC helper invocation. This vulnerability is fixed in 8.6.0 and 7.6.3. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to server-side request forgery (SSRF) with the Ajax Proxy configured. This may allow an attacker to send unauthorized requests from the system, resulting in a security bypass or information disclosure.
Pagina 150 di 2058