CVE-2026-33810
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs whi
CVSS
8.2
High
EPSS
0.3%
p26
KEV
—
Exploit Today
8
0-100
Published: Apr 8, 2026 · Last modified: Jul 17, 2026 · CWE-295 · CWE-1289
0.3%EPSS · 30 days0.3%
2026-06-302026-07-17
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
- go.devhttps://go.dev/cl/763763
- go.devhttps://go.dev/issue/78332
- groups.google.comhttps://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
- pkg.go.devhttps://pkg.go.dev/vuln/GO-2026-4866
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/04/19/4
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/04/20/1
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:10155
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:10158
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13545
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:14391
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19135
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19144
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19353
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19719
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19720
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19721
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:21769
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:21772
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22347
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22485
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2023-278239.8 CRI98.9%
——30An authentication bypass in Optoma 1080PSTX C02 allows an attacker to access the administration console without valid credentials.10dCVE-2026-477296.5 MED77.4%
——23Squid is a caching proxy for the Web. Prior to 7.6, due to an improper validation of syntactic correctness of input in the FTP gateway (src/clients/FtpGateway.cc), Squid is vulnerable to an out-of-bounds read: when a listing entry date in the TypeA or TypeB directory-listing formats is not followed by a filename, parsing was not restricted to the input buffer, so a trusted client accessing a misbehaving FTP server through Squid's gateway feature could read memory from random unrelated transactions. This issue is fixed in version 7.6.20hCVE-2026-487106.5 MED70.2%
——21Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.4dCVE-2025-627189.9 CRI63.6%
——19Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.4dCVE-2022-477589.8 CRI62.6%
——19Nanoleaf firmware v7.1.1 and below is missing TLS verification, allowing attackers to execute arbitrary code via a DNS hijacking attack.10dCVE-2026-219457.5 HIG54.5%
——16Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).4d