https://vulnerability.circl.lu/sightings/feed 2026-06-23T23:33:42.510357+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/3bdba2b3-a6eb-4538-ba93-df9978f8167c/export 2026-06-23T23:33:42.531026+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "3bdba2b3-a6eb-4538-ba93-df9978f8167c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4874", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mhxbmlzugk2t", "content": "", "creation_timestamp": "2026-03-26T09:20:27.934731Z"} 2026-03-26T09:20:27.934731+00:00 https://vulnerability.circl.lu/sighting/1c2a0102-62ce-44e5-9d0b-31a43e77349a/export 2026-06-23T23:33:42.530079+00:00 Joseph Lee https://cve.circl.lu/user/syspect {"uuid": "1c2a0102-62ce-44e5-9d0b-31a43e77349a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-4874", "type": "seen", "source": "https://access.redhat.com/security/cve/CVE-2026-4874", "content": "", "creation_timestamp": "2026-03-27T03:00:08.000000Z"} 2026-03-27T03:00:08+00:00 https://vulnerability.circl.lu/sighting/f89521ee-6315-4ad2-9e68-d5004e3343ef/export 2026-06-23T23:33:42.530008+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "f89521ee-6315-4ad2-9e68-d5004e3343ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48747", "type": "seen", "source": "https://bsky.app/profile/symfony.com/post/3mmtaxinnso2w", "content": "\ud83d\udd10 CVE-2026-48747: Mailomat Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade\n\u27a1\ufe0f https://symfony.com/blog/cve-2026-48747-mailomat-webhook-parser-reads-the-hmac-algorithm-from-the-request-signature-algorithm-downgrade", "creation_timestamp": "2026-05-27T10:03:58.636872Z"} 2026-05-27T10:03:58.636872+00:00 https://vulnerability.circl.lu/sighting/524fba81-8c5a-4340-951b-856ec43dda45/export 2026-06-23T23:33:42.529938+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "524fba81-8c5a-4340-951b-856ec43dda45", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48747", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmtq4e3x7q2h", "content": "\ud83d\udd17 CVE : CVE-2026-48489, CVE-2026-48736, CVE-2026-48747, CVE-2026-48760, CVE-2026-48761, CVE-2026-48784", "creation_timestamp": "2026-05-27T14:35:08.384364Z"} 2026-05-27T14:35:08.384364+00:00 https://vulnerability.circl.lu/sighting/3aeef7e9-9967-4c05-a643-7c4776397c55/export 2026-06-23T23:33:42.529868+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "3aeef7e9-9967-4c05-a643-7c4776397c55", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48748", "type": "seen", "source": "https://bsky.app/profile/hugovalters.bsky.social/post/3moaq36mskk23", "content": "CVE-2026-48748 - DoS in Netty HTTP/3 codec. Memory exhaustion from infinite blocked streams. CVSS 7.5. Update to 4.2.15.Final immediately. #CVE #infosec #Netty\n\nhttps://www.valtersit.com/cve/CVE-2026-48748/", "creation_timestamp": "2026-06-14T12:04:16.981114Z"} 2026-06-14T12:04:16.981114+00:00 https://vulnerability.circl.lu/sighting/5124795f-bcac-4e92-974c-8f97679960ed/export 2026-06-23T23:33:42.529771+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "5124795f-bcac-4e92-974c-8f97679960ed", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48748", "type": "seen", "source": "https://gist.github.com/alon710/bc7929d92c51f42ce9344791ed6ca313", "content": "# CVE-2026-48748: CVE-2026-48748: Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48748\n\n## Summary\nCVE-2026-48748 is a denial-of-service vulnerability in Netty's HTTP/3 codec (netty-codec-http3) occurring when QPACK dynamic tables are enabled but the blocked streams limit is not explicitly configured. A bug in limit checking and a memory leak in stream tracking allow unauthenticated remote attackers to exhaust the JVM heap memory and crash the server.\n\n## TL;DR\nA boundary check bypass and memory leak in Netty's HTTP/3 QPACK decoder allow remote attackers to exhaust JVM memory and crash servers via an unrestricted number of blocked streams.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 7.5\n- **EPSS Score**: 0.00488\n- **Impact**: Availability (Denial of Service via JVM OOM)\n- **Exploit Status**: PoC\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- io.netty:netty-codec-http3\n- Netty HTTP/3-enabled web servers\n- API gateways using Netty for HTTP/3\n- **netty-codec-http3**: >= 4.2.0.Final, < 4.2.15.Final (Fixed in: `4.2.15.Final`)\n\n## Mitigation\n\n- Upgrade netty-codec-http3 to version 4.2.15.Final or later.\n- Manually set HTTP3_SETTINGS_QPACK_BLOCKED_STREAMS to a non-zero limit (e.g., 100) as a temporary workaround.\n\n**Remediation Steps:**\n1. Identify all Maven, Gradle, or other dependency declarations referencing io.netty:netty-codec-http3.\n2. Update the version property to 4.2.15.Final or later.\n3. If an immediate upgrade is impossible, modify server initialization code to set Http3Settings.withQpackBlockedStreams(100) or equivalent setting in the HTTP/3 bootstrap configuration.\n4. Rebuild and redeploy the application.\n5. Monitor JVM memory usage and QUIC connection durations to detect anomalies.\n\n## References\n\n- [GitHub Advisory GHSA-4grm-h2qv-h6w6](https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6)\n- [Netty 4.2.15.Final Release Tag](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final)\n- [NVD Vulnerability Page](https://nvd.nist.gov/vuln/detail/CVE-2026-48748)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48748)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48748) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T00:56:16.000000Z"} 2026-06-16T00:56:16+00:00 https://vulnerability.circl.lu/sighting/3bf77cd7-c2f4-4892-8ab8-6aa057fdeeb3/export 2026-06-23T23:33:42.529700+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "3bf77cd7-c2f4-4892-8ab8-6aa057fdeeb3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48745", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mogzacajbs2j", "content": "CVE-2026-48745 - Traccar Client: silent configuration hijack via unverified deep link redirects all GPS telemetry\nCVE ID : CVE-2026-48745\n \n Published : June 16, 2026, 10:19 p.m. | 1\u00a0hour, 13\u00a0minutes ago\n \n Description : Traccar Client is a GPS tracking mobile app for sending ...", "creation_timestamp": "2026-06-17T00:04:10.434652Z"} 2026-06-17T00:04:10.434652+00:00 https://vulnerability.circl.lu/sighting/4187da55-331b-4f76-954f-dad1dbb72cd2/export 2026-06-23T23:33:42.529622+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "4187da55-331b-4f76-954f-dad1dbb72cd2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-48745", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3moh62q4wkd2f", "content": "CRITICAL: traccar-client <=9.7.19 lets attackers silently redirect GPS data via deep links \u2014 no user alert, persists after restart. Upgrade to 9.7.20 ASAP! \ud83d\udef0\ufe0f https://radar.offseq.com/threat/cve-2026-48745-cwe-940-improper-verification-of-so-6b0c4b37 #OffSeq #MobileSecurity #Vulnerability", "creation_timestamp": "2026-06-17T01:30:33.328740Z"} 2026-06-17T01:30:33.328740+00:00 https://vulnerability.circl.lu/sighting/aa9d129c-1046-4371-8acb-2a9462159863/export 2026-06-23T23:33:42.529510+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "aa9d129c-1046-4371-8acb-2a9462159863", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48746", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mow4wr4po422", "content": "CVE-2026-48746 - vLLM: OpenAI auth bypass\nCVE ID : CVE-2026-48746\n \n Published : June 22, 2026, 9:57 p.m. | 1\u00a0hour, 46\u00a0minutes ago\n \n Description : vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web se...", "creation_timestamp": "2026-06-23T00:20:21.727159Z"} 2026-06-23T00:20:21.727159+00:00 https://vulnerability.circl.lu/sighting/515bc04c-48da-46d1-92b3-ab1623b72805/export 2026-06-23T23:33:42.527347+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "515bc04c-48da-46d1-92b3-ab1623b72805", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48746", "type": "seen", "source": "https://bsky.app/profile/postac001.bsky.social/post/3moweoh5uiy2r", "content": "vLLM 0.3.0-0.22.0\u3067\u3001ASGI\u30b5\u30fc\u30d0\u30fc\u3068starlette\u306e\u4fe1\u983c\u95a2\u4fc2\u306b\u8a8d\u8a3c\u30d0\u30a4\u30d1\u30b9\u306e\u8106\u5f31\u6027\u3002API\u30ad\u30fc\u306a\u3057\u3067API\u5229\u7528\u304c\u53ef\u80fd\u30020.22.0\u3067\u4fee\u6b63\u3002\nCVE-2026-48746 CVSS 9.1 | CRITICAL", "creation_timestamp": "2026-06-23T02:39:02.490990Z"} 2026-06-23T02:39:02.490990+00:00