Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.7 HIGH
CVE-2026-47073 — Unbounded memory consumption in WebSocket client in hackney

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three…

Remote | Denial of Service
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
8.7 HIGH
CVE-2026-47067 — Atom table exhaustion via unrecognized URL schemes in hackney

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM…

Remote | Denial of Service
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
6.9 MEDIUM
CVE-2026-47072 — CRLF injection in WebSocket upgrade request in hackney

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host,…

Remote | Injection
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
6.9 MEDIUM
CVE-2026-47076 — SSRF allowlist bypass via percent-encoded host in hackney

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{}…

| Server-Side Request Forgery
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
6.0 MEDIUM
CVE-2026-47070 — HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect t…

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to th…

Remote | Information Disclosure
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
6.8 MEDIUM
CVE-2026-47075 — CR/LF injection in query parameter in hackney

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL …

| Injection
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
8.2 HIGH
CVE-2026-47077 — Unbounded body accumulation in HTTP/3 response loop in hackney

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size…

Remote | Denial of Service
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
8.2 HIGH
CVE-2026-47071 — SOCKS5 TLS upgrade ignores caller timeout in hackney

Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiat…

Remote | Denial of Service
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
8.7 HIGH
CVE-2026-47066 — Infinite loop in Alt-Svc header parser in hackney

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee fo…

Remote | Denial of Service
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
2.1 LOW
CVE-2026-47069 — CRLF injection in cookie domain/path options in hackney

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validat…

| Injection
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9464 — YunaiV yudao-cloud Admin API Endpoint create IotDataSinkHttpConfig server-side request fo…

A vulnerability has been found in YunaiV yudao-cloud 2026.03. This affects the function IotDataSinkHttpConfig of the file /admin-api/iot/data-sink/create of the component Admin API Endpoint. Such man…

| Server-Side Request Forgery
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9463 — Edimax EW-7438RPn formLicence stack-based overflow

A flaw has been found in Edimax EW-7438RPn 1.31. Affected by this issue is the function formLicence of the file /goform/formLicence. This manipulation of the argument submit-url causes stack-based bu…

| Memory Corruption
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9462 — Edimax EW-7438RPn formWpsProxyEnable stack-based overflow

A vulnerability was detected in Edimax EW-7438RPn 1.31. Affected by this vulnerability is the function formWpsProxyEnable of the file /goform/formWpsProxyEnable. The manipulation of the argument subm…

| Memory Corruption
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
9.3 CRITICAL
CVE-2026-9058 — Improper Certificate Verification in Szafir SDK

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") …

Remote | Cryptography
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9461 — Edimax EW-7438RPn formRadius stack-based overflow

A security vulnerability has been detected in Edimax EW-7438RPn 1.31. Affected is the function formRadius of the file /goform/formRadius. The manipulation of the argument submit-url leads to stack-ba…

| Memory Corruption
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9460 — Edimax EW-7438RPn formAccept stack-based overflow

A weakness has been identified in Edimax EW-7438RPn 1.31. This impacts the function formAccept of the file /goform/formAccept. Executing a manipulation of the argument submit-url can lead to stack-ba…

| Memory Corruption
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9459 — Edimax EW-7438RPn formConnectionSetting stack-based overflow

A security flaw has been discovered in Edimax EW-7438RPn 1.31. This affects the function formConnectionSetting of the file /goform/formConnectionSetting. Performing a manipulation of the argument max…

| Memory Corruption
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9458 — Totolink A8000RU Web Management cstecgi.cgi setWanCfg os command injection

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such…

| Injection
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9457 — Totolink A8000RU Web Management cstecgi.cgi UploadFirmwareFile os command injection

A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interf…

| Injection
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9456 — Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCfg os command injection

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation …

| Injection
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
Showing 20 of 5828 Results