Skip to main content

CWE-644

Improper Neutralization of HTTP Headers for Scripting Syntax

45 CVEs Avg CVSS 6.3 MITRE
4
CRITICAL
11
HIGH
27
MEDIUM
3
LOW
5
POC
0
KEV

Monthly

CVE-2026-54477 MEDIUM PATCH CISA This Month

Missing HTTP security headers in the Gardyn admin panel expose Gardyn Home Firmware, Gardyn Studio Firmware, and Gardyn Cloud API to clickjacking and cross-site scripting attacks against authenticated administrators. The absence of directives such as X-Frame-Options, Content-Security-Policy frame-ancestors, and script-source restrictions allows an attacker to embed the admin panel in a malicious iframe or inject client-side scripts into the admin session context. Reported by ICS-CERT under advisory ICSA-26-183-03, no public exploit or active exploitation has been confirmed at time of analysis.

XSS Gardyn Home Firmware Gardyn Studio Firmware Gardyn Cloud Api
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2024-51454 MEDIUM PATCH This Month

IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM XSS Engineering Workflow Management
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-10836 MEDIUM PATCH This Month

Host Header Injection in Password Manager (all versions per CPE) enables remote unauthenticated attackers to manipulate the HTTP Host header, causing the application to generate crafted links or responses that reference an attacker-controlled domain. Exploitation requires active user interaction (UI:A per CVSS 4.0 vector), limiting mass exploitation but enabling targeted phishing, password-reset link hijacking, or cache poisoning affecting dependent services. No public exploit code has been identified, and INCIBE has confirmed a vendor patch is available. This vulnerability is part of a broader set of issues disclosed simultaneously in the same INCIBE advisory.

Information Disclosure Password Manager
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-4096 MEDIUM PATCH This Month

HTTP header injection in IBM DevOps Plan 3.0.0 through 3.0.6 allows unauthenticated remote attackers to inject arbitrary HTTP headers by supplying a malicious HOST header value that the application fails to sanitize. The vulnerability (CWE-644) can be leveraged to mount cross-site scripting attacks against users, poison intermediate caches with attacker-controlled content, or hijack authenticated sessions. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, though the low-complexity, no-authentication-required attack surface makes this a meaningful risk for any internet-facing deployment.

XSS IBM Devops Plan
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-33805 npm CRITICAL PATCH GHSA Act Now

HTTP header smuggling in @fastify/reply-from ≤12.6.1 and @fastify/http-proxy ≤11.4.3 allows remote unauthenticated attackers to strip proxy-added security headers from upstream requests via malicious Connection header values. Attackers can retroactively remove headers intended for routing, access control, or authentication, potentially bypassing proxy-enforced security policies. CVSS 9.0 (Critical) with high integrity impact to both vulnerable and subsequent systems. EPSS 0.04% indicates low mass-exploitation probability despite proof-of-concept availability (SSVC). Vendor patches available: upgrade to @fastify/reply-from ≥12.6.2 or @fastify/http-proxy ≥11.4.4.

Information Disclosure Fastify Reply From Fastify Http Proxy
NVD GitHub VulDB
CVSS 4.0
9.0
EPSS
0.0%
CVE-2025-66485 MEDIUM PATCH This Month

HTTP header injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated attackers to conduct cross-site scripting, cache poisoning, and session hijacking attacks via improper validation of HOST headers. The vulnerability requires authenticated access and carries a CVSS score of 5.4 with moderate confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed.

IBM XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33149 HIGH This Week

Tandoor Recipes versions through 2.5.3 permit Host header injection attacks that enable invite link poisoning, allowing authenticated administrators with high privileges to be social-engineered into sending system-generated invite tokens to attacker-controlled servers. The Django application's default ALLOWED_HOSTS='*' configuration fails to validate HTTP Host headers, which combined with request.build_absolute_uri() usage allows manipulation of all absolute URLs including invite emails, API pagination, and OpenAPI schemas. No public exploit identified at time of analysis; CVSS 8.1 reflects network-based attack requiring high privileges and user interaction with changed scope.

Python Information Disclosure
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-14807 MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an HTTP header injection vulnerability caused by improper validation of the HOST header, allowing unauthenticated remote attackers to conduct cross-site scripting (XSS), cache poisoning, and session hijacking attacks. A vendor patch is available, and while this vulnerability is not currently listed as actively exploited in CISA's Known Exploited Vulnerabilities catalog, the CVSS score of 6.5 with network accessibility and low attack complexity indicates moderate real-world risk.

XSS IBM
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13213 MEDIUM This Month

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Orchestrator
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36227 MEDIUM This Month

Aspera Faspex versions up to 5.0.14.3 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Faspex
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Missing HTTP security headers in the Gardyn admin panel expose Gardyn Home Firmware, Gardyn Studio Firmware, and Gardyn Cloud API to clickjacking and cross-site scripting attacks against authenticated administrators. The absence of directives such as X-Frame-Options, Content-Security-Policy frame-ancestors, and script-source restrictions allows an attacker to embed the admin panel in a malicious iframe or inject client-side scripts into the admin session context. Reported by ICS-CERT under advisory ICSA-26-183-03, no public exploit or active exploitation has been confirmed at time of analysis.

XSS Gardyn Home Firmware Gardyn Studio Firmware +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

IBM Engineering Workflow Management 7.0.2 through 7.0.2 Interim Fix 035, 7.0.3 through 7.0.3 Interim Fix 017, and 7.1 through 7.1 Interim Fix 004 is vulnerable to HTTP header injection, caused by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM XSS Engineering Workflow Management
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Host Header Injection in Password Manager (all versions per CPE) enables remote unauthenticated attackers to manipulate the HTTP Host header, causing the application to generate crafted links or responses that reference an attacker-controlled domain. Exploitation requires active user interaction (UI:A per CVSS 4.0 vector), limiting mass exploitation but enabling targeted phishing, password-reset link hijacking, or cache poisoning affecting dependent services. No public exploit code has been identified, and INCIBE has confirmed a vendor patch is available. This vulnerability is part of a broader set of issues disclosed simultaneously in the same INCIBE advisory.

Information Disclosure Password Manager
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

HTTP header injection in IBM DevOps Plan 3.0.0 through 3.0.6 allows unauthenticated remote attackers to inject arbitrary HTTP headers by supplying a malicious HOST header value that the application fails to sanitize. The vulnerability (CWE-644) can be leveraged to mount cross-site scripting attacks against users, poison intermediate caches with attacker-controlled content, or hijack authenticated sessions. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, though the low-complexity, no-authentication-required attack surface makes this a meaningful risk for any internet-facing deployment.

XSS IBM Devops Plan
NVD VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

HTTP header smuggling in @fastify/reply-from ≤12.6.1 and @fastify/http-proxy ≤11.4.3 allows remote unauthenticated attackers to strip proxy-added security headers from upstream requests via malicious Connection header values. Attackers can retroactively remove headers intended for routing, access control, or authentication, potentially bypassing proxy-enforced security policies. CVSS 9.0 (Critical) with high integrity impact to both vulnerable and subsequent systems. EPSS 0.04% indicates low mass-exploitation probability despite proof-of-concept availability (SSVC). Vendor patches available: upgrade to @fastify/reply-from ≥12.6.2 or @fastify/http-proxy ≥11.4.4.

Information Disclosure Fastify Reply From Fastify Http Proxy
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

HTTP header injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated attackers to conduct cross-site scripting, cache poisoning, and session hijacking attacks via improper validation of HOST headers. The vulnerability requires authenticated access and carries a CVSS score of 5.4 with moderate confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed.

IBM XSS
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Tandoor Recipes versions through 2.5.3 permit Host header injection attacks that enable invite link poisoning, allowing authenticated administrators with high privileges to be social-engineered into sending system-generated invite tokens to attacker-controlled servers. The Django application's default ALLOWED_HOSTS='*' configuration fails to validate HTTP Host headers, which combined with request.build_absolute_uri() usage allows manipulation of all absolute URLs including invite emails, API pagination, and OpenAPI schemas. No public exploit identified at time of analysis; CVSS 8.1 reflects network-based attack requiring high privileges and user interaction with changed scope.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an HTTP header injection vulnerability caused by improper validation of the HOST header, allowing unauthenticated remote attackers to conduct cross-site scripting (XSS), cache poisoning, and session hijacking attacks. A vendor patch is available, and while this vulnerability is not currently listed as actively exploited in CISA's Known Exploited Vulnerabilities catalog, the CVSS score of 6.5 with network accessibility and low attack complexity indicates moderate real-world risk.

XSS IBM
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Orchestrator
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Aspera Faspex versions up to 5.0.14.3 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Faspex
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy