CVE-2026-45674
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final,
CVSS
8.7
Alto
EPSS
0.2%
p13
KEV
—
Exploit Today
4
0-100
Publicado: 12 jun 2026 · Última mod.: 15 jul 2026 · CWE-345 · CWE-346
0.2%EPSS · 30 días0.2%
2026-06-302026-07-18
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
- github.comhttps://github.com/netty/netty/releases/tag/netty-4.1.135.Final
- github.comhttps://github.com/netty/netty/releases/tag/netty-4.2.15.Final
- github.comhttps://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26017
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26018
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26586
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:34608
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:37390
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-45674
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2488400
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45674.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2025-342918.8 ALT99.6%
KEV—80Langflow Origin Validation Error Vulnerability4dCVE-2026-271489.6 CRÍ41.9%
——13Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.4dCVE-2021-454198.8 ALT37.1%
——11Certain Starcharge products are affected by Improper Input Validation. The affected products include: Nova 360 Cabinet <= 1.3.0.0.7b102 - Fixed: Beta1.3.0.1.0 and Titan 180 Premium <= 1.3.0.0.6 - Fixed: 1.3.0.0.9.10dCVE-2022-251465.3 MED36.6%
——11The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.10dCVE-2022-318778.8 ALT32.1%
——10An issue in the component MSI.TerminalServer.exe of MSI Center v1.0.41.0 allows attackers to escalate privileges via a crafted TCP packet.10dCVE-2026-26119.6 CRÍ29.4%
——9In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0.4d