https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Tue, 23 Jun 2026 23:42:38 +0000 https://vulnerability.circl.lu/sighting/9234cc12-3eb0-4cbb-89bc-3a94d9e2e0d6/export {"uuid": "9234cc12-3eb0-4cbb-89bc-3a94d9e2e0d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49973", "type": "seen", "source": "https://bsky.app/profile/hugovalters.bsky.social/post/3mo2dledkjf23", "content": "CVE-2026-49973 - Critical improper access control in Hermes WebUI. Unauthenticated attackers can hijack initial setup, set arbitrary password, lock out operators. CVSS 9.4. No patch yet - isolate affected systems immediately. #CVE #infosec ...\n\nhttps://www.valtersit.com/cve/CVE-2026-49973/", "creation_timestamp": "2026-06-11T23:04:42.651434Z"} {"uuid": "9234cc12-3eb0-4cbb-89bc-3a94d9e2e0d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49973", "type": "seen", "source": "https://bsky.app/profile/hugovalters.bsky.social/post/3mo2dledkjf23", "content": "CVE-2026-49973 - Critical improper access control in Hermes WebUI. Unauthenticated attackers can hijack initial setup, set arbitrary password, lock out operators. CVSS 9.4. No patch yet - isolate affected systems immediately. #CVE #infosec ...\n\nhttps://www.valtersit.com/cve/CVE-2026-49973/", "creation_timestamp": "2026-06-11T23:04:42.651434Z"} https://vulnerability.circl.lu/sighting/9234cc12-3eb0-4cbb-89bc-3a94d9e2e0d6/export Thu, 11 Jun 2026 23:04:42 +0000 https://vulnerability.circl.lu/sighting/0ecd1419-dcfa-4b06-a3bd-82751e6a89cf/export {"uuid": "0ecd1419-dcfa-4b06-a3bd-82751e6a89cf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://bsky.app/profile/opsmatters.com/post/3mo2dlmzybc2y", "content": "The latest update for #HAProxy includes \"How Clover moved beyond blue-green deployments with HAProxy Fusion Control Plane\" and \"Protecting against HTTP/2 Bomb vulnerability (CVE-2026-49975) with HAProxy\".\n \n#DevOps #Kubernetes #Security https://opsmtrs.com/3aGSzYy", "creation_timestamp": "2026-06-11T23:04:58.683518Z"} {"uuid": "0ecd1419-dcfa-4b06-a3bd-82751e6a89cf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://bsky.app/profile/opsmatters.com/post/3mo2dlmzybc2y", "content": "The latest update for #HAProxy includes \"How Clover moved beyond blue-green deployments with HAProxy Fusion Control Plane\" and \"Protecting against HTTP/2 Bomb vulnerability (CVE-2026-49975) with HAProxy\".\n \n#DevOps #Kubernetes #Security https://opsmtrs.com/3aGSzYy", "creation_timestamp": "2026-06-11T23:04:58.683518Z"} https://vulnerability.circl.lu/sighting/0ecd1419-dcfa-4b06-a3bd-82751e6a89cf/export Thu, 11 Jun 2026 23:04:58 +0000 https://vulnerability.circl.lu/sighting/bcd7ab20-7f75-4946-8a95-d1e8f89103e1/export {"uuid": "bcd7ab20-7f75-4946-8a95-d1e8f89103e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "published-proof-of-concept", "source": "Telegram/Mx8_R5zb-Z9gjGYN6BhHtUu2odHzDXmYt7pgC-ocYKB9dvw", "content": "", "creation_timestamp": "2026-06-13T09:00:05.000000Z"} {"uuid": "bcd7ab20-7f75-4946-8a95-d1e8f89103e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "published-proof-of-concept", "source": "Telegram/Mx8_R5zb-Z9gjGYN6BhHtUu2odHzDXmYt7pgC-ocYKB9dvw", "content": "", "creation_timestamp": "2026-06-13T09:00:05.000000Z"} https://vulnerability.circl.lu/sighting/bcd7ab20-7f75-4946-8a95-d1e8f89103e1/export Sat, 13 Jun 2026 09:00:05 +0000 https://vulnerability.circl.lu/sighting/3b96efdd-839e-4cfd-aab7-ddf5c9ac5da6/export {"uuid": "3b96efdd-839e-4cfd-aab7-ddf5c9ac5da6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49973", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3moby5x7tin2v", "content": "\ud83d\udd34 CVE-2026-49973 - Critical (9.4)\n\nHermes WebUI before version 0.51.358 contains an improper access control vulnerability that allow...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-49973/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-15T00:01:40.335358Z"} {"uuid": "3b96efdd-839e-4cfd-aab7-ddf5c9ac5da6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49973", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3moby5x7tin2v", "content": "\ud83d\udd34 CVE-2026-49973 - Critical (9.4)\n\nHermes WebUI before version 0.51.358 contains an improper access control vulnerability that allow...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-49973/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-15T00:01:40.335358Z"} https://vulnerability.circl.lu/sighting/3b96efdd-839e-4cfd-aab7-ddf5c9ac5da6/export Mon, 15 Jun 2026 00:01:40 +0000 https://vulnerability.circl.lu/sighting/4e209a28-3fb8-4e04-a180-0244444595a7/export {"uuid": "4e209a28-3fb8-4e04-a180-0244444595a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49973", "type": "seen", "source": "https://bsky.app/profile/potato.software/post/3moby5ymkvr2i", "content": "\ud83d\udd34 CVE-2026-49973 - Critical (9.4)\n\nHermes WebUI before version 0.51.358 contains an improper access control vulnerability that allow...\n\nhttps://www.themasherwire.com/vulnerability/CVE-2026-49973/\n\n#infosec #potatosecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-15T00:01:41.049321Z"} {"uuid": "4e209a28-3fb8-4e04-a180-0244444595a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49973", "type": "seen", "source": "https://bsky.app/profile/potato.software/post/3moby5ymkvr2i", "content": "\ud83d\udd34 CVE-2026-49973 - Critical (9.4)\n\nHermes WebUI before version 0.51.358 contains an improper access control vulnerability that allow...\n\nhttps://www.themasherwire.com/vulnerability/CVE-2026-49973/\n\n#infosec #potatosecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-15T00:01:41.049321Z"} https://vulnerability.circl.lu/sighting/4e209a28-3fb8-4e04-a180-0244444595a7/export Mon, 15 Jun 2026 00:01:41 +0000 https://vulnerability.circl.lu/sighting/6a9ab895-412a-4d5b-8d07-400f7fba502b/export {"uuid": "6a9ab895-412a-4d5b-8d07-400f7fba502b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://bsky.app/profile/opsmatters.com/post/3moex5chm2z2c", "content": "The latest update for #CyCognito includes \"Emerging Threat: (CVE-2026-49975) Apache HTTP Server Denial of Service via HTTP/2 Memory Exhaustion\".\n\n#cybersecurity #AttackSurfaceManagement #EASM https://opsmtrs.com/44Srq0X", "creation_timestamp": "2026-06-16T04:21:23.203854Z"} {"uuid": "6a9ab895-412a-4d5b-8d07-400f7fba502b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://bsky.app/profile/opsmatters.com/post/3moex5chm2z2c", "content": "The latest update for #CyCognito includes \"Emerging Threat: (CVE-2026-49975) Apache HTTP Server Denial of Service via HTTP/2 Memory Exhaustion\".\n\n#cybersecurity #AttackSurfaceManagement #EASM https://opsmtrs.com/44Srq0X", "creation_timestamp": "2026-06-16T04:21:23.203854Z"} https://vulnerability.circl.lu/sighting/6a9ab895-412a-4d5b-8d07-400f7fba502b/export Tue, 16 Jun 2026 04:21:23 +0000 https://vulnerability.circl.lu/sighting/c4c7e053-2b88-40fa-b384-6b4e2c5d3f08/export {"uuid": "c4c7e053-2b88-40fa-b384-6b4e2c5d3f08", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://bsky.app/profile/thedailytechfeed.com/post/3moknb5kd572e", "content": "Apache HTTP Server's 'HTTP/2 Bomb' flaw (CVE-2026-49975) enables remote DoS attacks. Upgrade to version 2.4.68+ immediately. #Apache #HTTP2 #CVE202649975 #CyberSecurity #DoS #Vulnerability thedailytechfeed.com/critical-htt...", "creation_timestamp": "2026-06-18T10:40:33.689626Z"} {"uuid": "c4c7e053-2b88-40fa-b384-6b4e2c5d3f08", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://bsky.app/profile/thedailytechfeed.com/post/3moknb5kd572e", "content": "Apache HTTP Server's 'HTTP/2 Bomb' flaw (CVE-2026-49975) enables remote DoS attacks. Upgrade to version 2.4.68+ immediately. #Apache #HTTP2 #CVE202649975 #CyberSecurity #DoS #Vulnerability thedailytechfeed.com/critical-htt...", "creation_timestamp": "2026-06-18T10:40:33.689626Z"} https://vulnerability.circl.lu/sighting/c4c7e053-2b88-40fa-b384-6b4e2c5d3f08/export Thu, 18 Jun 2026 10:40:33 +0000 https://vulnerability.circl.lu/sighting/750a9aed-b655-4695-9262-6200bfa664e7/export {"uuid": "750a9aed-b655-4695-9262-6200bfa664e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://gist.github.com/alon710/523db0554da2f223a1424635be2e087a", "content": "# CVE-2026-49975: CVE-2026-49975: Remote Denial of Service via HTTP/2 HPACK Cookie Memory Amplification in Apache HTTP Server\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-08\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49975\n\n## Summary\nCVE-2026-49975 describes a high-severity remote Denial of Service (DoS) vulnerability in the Apache HTTP Server's mod_http2 module. Unauthenticated attackers can exploit the HPACK compression and cookie-merging behavior to trigger severe, quadratic memory allocation. This resource exhaustion is maintained by manipulating the HTTP/2 flow-control window, ultimately forcing an Out-of-Memory condition on the server host.\n\n## TL;DR\nA memory amplification bug in Apache's mod_http2 allows remote unauthenticated attackers to exhaust server RAM using small HTTP/2 header streams, causing a Denial of Service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-789\n- **Attack Vector**: Network\n- **CVSS Score**: 7.5 (High)\n- **EPSS Score**: 0.01313\n- **EPSS Percentile**: 66.94%\n- **Impact**: Remote Denial of Service\n- **Exploit Status**: Proof-of-Concept Available\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Apache HTTP Server (mod_http2)\n- **Apache HTTP Server (mod_http2)**: 2.4.17 through 2.4.67 (Fixed in: `2.4.68`)\n\n## Mitigation\n\n- Upgrade to Apache HTTP Server 2.4.68 or later\n- Upgrade mod_http2 to standalone version 2.0.41 or higher\n- Disable HTTP/2 support to fall back to HTTP/1.1\n- Implement operating system or container memory boundaries on worker processes\n\n**Remediation Steps:**\n1. Identify affected server configurations by verifying HTTP/2 status and server version via command-line curl tools.\n2. Apply upstream package updates using default system package managers or compile the latest source distribution of httpd.\n3. If immediate patching is not possible, edit httpd.conf or ssl.conf to limit protocols explicitly to http/1.1.\n4. Apply systemd MemoryMax parameters or run Docker containers with enforced memory and swap limits to prevent system-wide lockups.\n5. Verify the remediation by running automated validation scripts against the newly modified hosts.\n\n## References\n\n- [CVE Official Record](https://www.cve.org/CVERecord?id=CVE-2026-49975)\n- [Apache HTTP Server Security Advisories](https://httpd.apache.org/security/vulnerabilities_24.html)\n- [Upstream Bugfix Commit](https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c)\n- [Calif.IO HTTP/2 Bomb Discovery Blog](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)\n- [OSS-Security List Disclosure](http://www.openwall.com/lists/oss-security/2026/06/03/3)\n- [OSS-Security Official Announcement](http://www.openwall.com/lists/oss-security/2026/06/08/16)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html)\n- [mrx-arafat Proof-of-Concept Exploit](https://github.com/mrx-arafat/CVE-2026-49975-POC)\n- [EQSTLab PoC Repository](https://github.com/EQSTLab/CVE-2026-49975)\n- [LSG-PolarBear PoC Exploit](https://github.com/LSG-PolarBear/CVE-2026-49975)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49975) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T11:21:49.000000Z"} {"uuid": "750a9aed-b655-4695-9262-6200bfa664e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://gist.github.com/alon710/523db0554da2f223a1424635be2e087a", "content": "# CVE-2026-49975: CVE-2026-49975: Remote Denial of Service via HTTP/2 HPACK Cookie Memory Amplification in Apache HTTP Server\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-08\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49975\n\n## Summary\nCVE-2026-49975 describes a high-severity remote Denial of Service (DoS) vulnerability in the Apache HTTP Server's mod_http2 module. Unauthenticated attackers can exploit the HPACK compression and cookie-merging behavior to trigger severe, quadratic memory allocation. This resource exhaustion is maintained by manipulating the HTTP/2 flow-control window, ultimately forcing an Out-of-Memory condition on the server host.\n\n## TL;DR\nA memory amplification bug in Apache's mod_http2 allows remote unauthenticated attackers to exhaust server RAM using small HTTP/2 header streams, causing a Denial of Service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-789\n- **Attack Vector**: Network\n- **CVSS Score**: 7.5 (High)\n- **EPSS Score**: 0.01313\n- **EPSS Percentile**: 66.94%\n- **Impact**: Remote Denial of Service\n- **Exploit Status**: Proof-of-Concept Available\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Apache HTTP Server (mod_http2)\n- **Apache HTTP Server (mod_http2)**: 2.4.17 through 2.4.67 (Fixed in: `2.4.68`)\n\n## Mitigation\n\n- Upgrade to Apache HTTP Server 2.4.68 or later\n- Upgrade mod_http2 to standalone version 2.0.41 or higher\n- Disable HTTP/2 support to fall back to HTTP/1.1\n- Implement operating system or container memory boundaries on worker processes\n\n**Remediation Steps:**\n1. Identify affected server configurations by verifying HTTP/2 status and server version via command-line curl tools.\n2. Apply upstream package updates using default system package managers or compile the latest source distribution of httpd.\n3. If immediate patching is not possible, edit httpd.conf or ssl.conf to limit protocols explicitly to http/1.1.\n4. Apply systemd MemoryMax parameters or run Docker containers with enforced memory and swap limits to prevent system-wide lockups.\n5. Verify the remediation by running automated validation scripts against the newly modified hosts.\n\n## References\n\n- [CVE Official Record](https://www.cve.org/CVERecord?id=CVE-2026-49975)\n- [Apache HTTP Server Security Advisories](https://httpd.apache.org/security/vulnerabilities_24.html)\n- [Upstream Bugfix Commit](https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c)\n- [Calif.IO HTTP/2 Bomb Discovery Blog](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)\n- [OSS-Security List Disclosure](http://www.openwall.com/lists/oss-security/2026/06/03/3)\n- [OSS-Security Official Announcement](http://www.openwall.com/lists/oss-security/2026/06/08/16)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html)\n- [mrx-arafat Proof-of-Concept Exploit](https://github.com/mrx-arafat/CVE-2026-49975-POC)\n- [EQSTLab PoC Repository](https://github.com/EQSTLab/CVE-2026-49975)\n- [LSG-PolarBear PoC Exploit](https://github.com/LSG-PolarBear/CVE-2026-49975)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49975) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T11:21:49.000000Z"} https://vulnerability.circl.lu/sighting/750a9aed-b655-4695-9262-6200bfa664e7/export Thu, 18 Jun 2026 11:21:49 +0000 https://vulnerability.circl.lu/sighting/4d1683ad-3f85-4500-a8bd-f681e080a9f2/export {"uuid": "4d1683ad-3f85-4500-a8bd-f681e080a9f2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mokvmwwejr2h", "content": "\ud83d\udd17 CVE : CVE-2026-49975", "creation_timestamp": "2026-06-18T13:10:30.528498Z"} {"uuid": "4d1683ad-3f85-4500-a8bd-f681e080a9f2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mokvmwwejr2h", "content": "\ud83d\udd17 CVE : CVE-2026-49975", "creation_timestamp": "2026-06-18T13:10:30.528498Z"} https://vulnerability.circl.lu/sighting/4d1683ad-3f85-4500-a8bd-f681e080a9f2/export Thu, 18 Jun 2026 13:10:30 +0000 https://vulnerability.circl.lu/sighting/795eeb2a-9cab-4022-a6ff-ae6262f3bc81/export {"uuid": "795eeb2a-9cab-4022-a6ff-ae6262f3bc81", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-49975", "type": "seen", "source": "https://bsky.app/profile/getpacketai.bsky.social/post/3moobzzfbs42j", "content": "Apache HTTP Server mod_http2 flaw lets unauthenticated attackers crash servers with tiny HTTP/2 requests via memory amplification.\u2026\n\nhttps://dev.to/cverports/cve-2026-49975-cve-2026-49975-remote-denial-of-service-via-http2-hpack-cookie-memory-1ghd\n\n#appsec #DevSecOps", "creation_timestamp": "2026-06-19T21:30:21.763461Z"} {"uuid": "795eeb2a-9cab-4022-a6ff-ae6262f3bc81", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-49975", "type": "seen", "source": "https://bsky.app/profile/getpacketai.bsky.social/post/3moobzzfbs42j", "content": "Apache HTTP Server mod_http2 flaw lets unauthenticated attackers crash servers with tiny HTTP/2 requests via memory amplification.\u2026\n\nhttps://dev.to/cverports/cve-2026-49975-cve-2026-49975-remote-denial-of-service-via-http2-hpack-cookie-memory-1ghd\n\n#appsec #DevSecOps", "creation_timestamp": "2026-06-19T21:30:21.763461Z"} https://vulnerability.circl.lu/sighting/795eeb2a-9cab-4022-a6ff-ae6262f3bc81/export Fri, 19 Jun 2026 21:30:21 +0000