Skip to main content
CVE-2026-5222 LOW PATCH GHSA Monitor

Credential leakage in Cargo's sparse index registry URL normalization affects all Cargo releases from 1.68 through 1.96. The flaw caused Cargo to incorrectly apply git-registry canonicalization rules - specifically, stripping `.git` suffixes and lowercasing GitHub paths - to sparse index protocol URLs (prefixed with `sparse+`). This allowed two distinct sparse registry URLs that differed only by a `.git` suffix to resolve to the same canonical identifier, meaning credentials configured for one registry could be transmitted to a different, attacker-controlled registry on the same domain. No public exploit identified at time of analysis; EPSS is 0.04% (12th percentile), consistent with the vendor-assessed low severity and SSVC exploitation status of none.

Information Disclosure Cargo
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-9420 LOW Monitor

Injection via HTTP GET request parameter manipulation in KLiK SocialMediaWebsite 1.0 allows remote attackers to inject arbitrary content or code through the application's parameter handler, contingent on passive user interaction. The vulnerability carries a CVSS 4.0 base score of 2.1, reflecting limited confidentiality, integrity, and availability impact scoped exclusively to the vulnerable system with no lateral impact. Publicly available exploit code exists per the E:P exploit maturity metric and SSVC poc classification, though EPSS at 0.04% (13th percentile) and the non-KEV status indicate no observed widespread exploitation.

Code Injection Klik Socialmediawebsite
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9497 LOW Monitor

Unsafe deserialization in changmingxie tcc-transaction (versions up to 2.1.0) allows a remotely authenticated attacker with low privileges to exploit the Fastjson AutoType feature via the REST API, achieving limited confidentiality, integrity, and availability impact on the affected system. A proof-of-concept exploit exists (CVSS 4.0 E:P), referenced in a public GitHub bug report, though EPSS probability sits at just 0.04% (12th percentile) and SSVC assesses exploitation as none at time of analysis, indicating no observed active abuse. The vendor was notified prior to disclosure but did not respond, meaning no official patch has been released.

Deserialization Tcc Transaction
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-47069 LOW POC PATCH GHSA Monitor

CRLF injection in the hackney Erlang HTTP client library's hackney_cookie:setcookie/3 function enables HTTP response splitting against applications using versions 0.9.0 through before 4.0.1. While the function correctly validates the Name and Value cookie arguments against CRLF and control characters, it concatenates the domain and path options verbatim into the output iolist with no equivalent check, creating an injection point. An attacker who can influence the domain or path values passed to that function - for example, by submitting a crafted Host header or URL path that an application forwards directly into the cookie-setting call - can inject arbitrary additional Set-Cookie headers into the HTTP response. No public exploit identified at time of analysis per KEV absence, though SSVC confirms a proof-of-concept exists.

Code Injection Hackney
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy