24h | 7d | 30d

CVE-2026-22817

Overview

  • honojs
  • hono
13 Jan 2026
Published
14 Jan 2026
Updated
CVSS v3.1
HIGH (8.2)
EPSS
0.14%
KEV

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture fallback
デイリーZennトレンド @dailyzenntrends.bsky.social
今日のZennトレンド Hono の JWT/JWK ミドルウェアの脆弱性を修正したので解説する HonoのJWT/JWKミドルウェアで、アルゴリズム混同攻撃による脆弱性(CVE-2026-22817, CVE-2026-22818)が修正されました。 攻撃者がJWTヘッダのalgフィールドを操作し、公開鍵をHMACシークレットとして悪用することで署名を偽造できる問題でした。 最新バージョンで修正済みのため、速やかなアップデートが推奨されています。
  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-22818

Overview

  • honojs
  • hono
13 Jan 2026
Published
15 Jan 2026
Updated
CVSS v3.1
HIGH (8.2)
EPSS
0.12%
KEV

Description

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture fallback
デイリーZennトレンド @dailyzenntrends.bsky.social
今日のZennトレンド Hono の JWT/JWK ミドルウェアの脆弱性を修正したので解説する HonoのJWT/JWKミドルウェアで、アルゴリズム混同攻撃による脆弱性(CVE-2026-22817, CVE-2026-22818)が修正されました。 攻撃者がJWTヘッダのalgフィールドを操作し、公開鍵をHMACシークレットとして悪用することで署名を偽造できる問題でした。 最新バージョンで修正済みのため、速やかなアップデートが推奨されています。
  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-54387

Overview

  • tinyproxy
  • tinyproxy
17 Jun 2026
Published
23 Jun 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.39%
KEV

Description

Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
Daily CyberSecurity @DailyCyberSecurity

Three critical Tinyproxy request smuggling vulnerabilities, including CVE-2026-54388, expose networks to severe attacks. Update your proxy servers immediately.


securityonline.info/tinyproxy-

  • 0
  • 0
  • 0
  • 10h ago

CVE-2013-6786

Overview

  • Pending
16 Jan 2014
Published
06 Aug 2024
Updated
CVSS
Pending
EPSS
2.17%
KEV

Description

Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a "URL redirection" issue that some sources list separately.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-071
JUMO: Allegro RomPager webserver vulnerability in JUMO mTRONT, DICON touch, AQUIS touch devices

Multiple products from JUMO are affected by webserver vulnerability "CVE-2013-6786, CVE-2014-9222, CVE-2014-9223. This vulnerability leads to DOS of the device by using a misfortune cookie and reflected XSS attacks.
CVE-2014-9222, CVE-2013-6786, CVE-2014-9223

certvde.com/en/advisories/vde-

jumo.csaf-tp.certvde.com/.well

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-54388

Overview

  • tinyproxy
  • tinyproxy
17 Jun 2026
Published
23 Jun 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.39%
KEV

Description

Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
Daily CyberSecurity @DailyCyberSecurity

Three critical Tinyproxy request smuggling vulnerabilities, including CVE-2026-54388, expose networks to severe attacks. Update your proxy servers immediately.


securityonline.info/tinyproxy-

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-55202

Overview

  • tinyproxy
  • tinyproxy
17 Jun 2026
Published
23 Jun 2026
Updated
CVSS v4.0
HIGH (8.8)
EPSS
0.34%
KEV

Description

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
Daily CyberSecurity @DailyCyberSecurity

Three critical Tinyproxy request smuggling vulnerabilities, including CVE-2026-54388, expose networks to severe attacks. Update your proxy servers immediately.


securityonline.info/tinyproxy-

  • 0
  • 0
  • 0
  • 10h ago

CVE-2014-9223

Overview

  • Pending
24 Dec 2014
Published
06 Aug 2024
Updated
CVSS
Pending
EPSS
6.03%
KEV

Description

Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei Home Gateway products and other vendors and products, allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors related to authorization.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-071
JUMO: Allegro RomPager webserver vulnerability in JUMO mTRONT, DICON touch, AQUIS touch devices

Multiple products from JUMO are affected by webserver vulnerability "CVE-2013-6786, CVE-2014-9222, CVE-2014-9223. This vulnerability leads to DOS of the device by using a misfortune cookie and reflected XSS attacks.
CVE-2014-9222, CVE-2013-6786, CVE-2014-9223

certvde.com/en/advisories/vde-

jumo.csaf-tp.certvde.com/.well

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-39813

Overview

  • Fortinet
  • FortiSandbox
14 Apr 2026
Published
18 Jun 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
16.74%
KEV

Description

A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via specially crafted HTTP requests.

Statistics

  • 1 Post
Last activity: 21 hours ago

Bluesky

Profile picture fallback
boredchilada @boredchilada.bsky.social
~Checkpoint~ Weekly threat intel highlights FortiSandbox & Splunk zero-days, AI agent exploits, and major breaches at Texas Parks & Klue. - IOCs: CVE-2026-39813, CVE-2026-50656, CVE-2026-20253 - #DataBreach #ThreatIntel #Vulnerabilities
  • 0
  • 0
  • 0
  • 21h ago

CVE-2014-9222

Overview

  • Pending
24 Dec 2014
Published
06 Aug 2024
Updated
CVSS
Pending
EPSS
63.50%
KEV

Description

AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-071
JUMO: Allegro RomPager webserver vulnerability in JUMO mTRONT, DICON touch, AQUIS touch devices

Multiple products from JUMO are affected by webserver vulnerability "CVE-2013-6786, CVE-2014-9222, CVE-2014-9223. This vulnerability leads to DOS of the device by using a misfortune cookie and reflected XSS attacks.
CVE-2014-9222, CVE-2013-6786, CVE-2014-9223

certvde.com/en/advisories/vde-

jumo.csaf-tp.certvde.com/.well

  • 0
  • 0
  • 0
  • 10h ago
Showing 61 to 69 of 69 CVEs