Libsoup
Source repositories
CVEs (29)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-2443 | 0.00 | — | 0.00 | Feb 13, 2026 | A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access… | |||
| CVE-2026-1539 | 0.00 | — | 0.00 | Jan 28, 2026 | A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is… | |||
| CVE-2025-2784 | 0.00 | — | 0.01 | Apr 3, 2025 | A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server. | |||
| CVE-2024-52530 | 0.00 | — | 0.01 | Nov 11, 2024 | GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header. | |||
| CVE-2024-52532 | 0.00 | — | 0.01 | Nov 11, 2024 | GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients. | |||
| CVE-2024-52531 | 0.00 | — | 0.01 | Nov 11, 2024 | GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There is a plausible way to reach this remotely via soup_message_headers_get_content_type (e.g., an application may want to retrieve the… | |||
| CVE-2019-17266 | 0.00 | — | 0.03 | Oct 6, 2019 | libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read because soup_ntlm_parse_challenge() in soup-auth-ntlm.c does not properly check an NTLM message's length before proceeding with a memcpy. | |||
| CVE-2012-2132 | 0.00 | — | 0.02 | Aug 20, 2012 | libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection. | |||
| CVE-2011-2524 | 0.00 | — | 0.02 | Aug 31, 2011 | Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in a URI. |
- CVE-2026-2443Feb 13, 2026risk 0.00cvss —epss 0.00
A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access…
- CVE-2026-1539Jan 28, 2026risk 0.00cvss —epss 0.00
A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is…
- CVE-2025-2784Apr 3, 2025risk 0.00cvss —epss 0.01
A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.
- CVE-2024-52530Nov 11, 2024risk 0.00cvss —epss 0.01
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header.
- CVE-2024-52532Nov 11, 2024risk 0.00cvss —epss 0.01
GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients.
- CVE-2024-52531Nov 11, 2024risk 0.00cvss —epss 0.01
GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There is a plausible way to reach this remotely via soup_message_headers_get_content_type (e.g., an application may want to retrieve the…
- CVE-2019-17266Oct 6, 2019risk 0.00cvss —epss 0.03
libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read because soup_ntlm_parse_challenge() in soup-auth-ntlm.c does not properly check an NTLM message's length before proceeding with a memcpy.
- CVE-2012-2132Aug 20, 2012risk 0.00cvss —epss 0.02
libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.
- CVE-2011-2524Aug 31, 2011risk 0.00cvss —epss 0.02
Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in a URI.
Page 2 of 2