Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:18054 advisory.

    Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly     application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.1.6 serves as a     replacement for Red Hat JBoss Enterprise Application Platform 8.1.5, and includes bug fixes and     enhancements. See the Red Hat JBoss Enterprise Application Platform 8.1.6 Release Notes for information     about the most significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * bcprov-jdk18on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)

    *bouncycastle: BC-JAVA: GOSTCTR implementation unable to process more than 255 blocks correctly     (CVE-2025-14813)

    * bouncycastle: BC-JAVA: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion     (CVE-2026-3505)

    * bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid     (CVE-2026-5588)

    * bcprov-ext-jdk15on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)

    * bcprov-jdk12: private key leakage via non-constant time comparisons (CVE-2026-5598)

    * netty-codec-http: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood (CVE-2026-33871)

    * netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding     extension values (CVE-2026-33870)

    * artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to     missing authentication (CVE-2026-27446)

    * org.hibernate.orm/hibernate-c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects     [(CVE-2026-27830)

    * org.keycloak-keycloak-parent: Minimatch: Denial of Service via catastrophic backtracking in glob     expressions (CVE-2026-27904)

    * mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted     objects (CVE-2026-27727)

    * io.hawt-project: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)

    * wildfly-elytron-integration: Wildfly Elytron Brute Force Attack via CLI  (CVE-2025-23368)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:18055 advisory.

    Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly     application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.1.6 serves as a     replacement for Red Hat JBoss Enterprise Application Platform 8.1.5, and includes bug fixes and     enhancements. See the Red Hat JBoss Enterprise Application Platform 8.1.6 Release Notes for information     about the most significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * bcprov-jdk18on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)

    *bouncycastle: BC-JAVA: GOSTCTR implementation unable to process more than 255 blocks correctly     (CVE-2025-14813)

    * bouncycastle: BC-JAVA: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion     (CVE-2026-3505)

    * bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid     (CVE-2026-5588)

    * bcprov-ext-jdk15on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)
    * bcprov-jdk12: private key leakage via non-constant time comparisons (CVE-2026-5598)

    * netty-codec-http: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood (CVE-2026-33871)

    * netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding     extension values (CVE-2026-33870)

    * artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to     missing authentication (CVE-2026-27446)

    * org.hibernate.orm/hibernate-c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects     (CVE-2026-27830)

    * org.keycloak-keycloak-parent: Minimatch: Denial of Service via catastrophic backtracking in glob     expressions (CVE-2026-27904)

    * mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted     objects (CVE-2026-27727)

    * io.hawt-project: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)

    * wildfly-elytron-integration: Wildfly Elytron Brute Force Attack via CLI (CVE-2025-23368)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Bamboo installed on the remote host is 9.6.x prior to 9.6.25, 10.x prior to 10.2.18, or 11.x prior to 12.1.6. It is, therefore, affected by multiple vulnerabilities:

  - An OS command injection vulnerability allows an authenticated attacker to execute commands on the remote system,     which has high impact to confidentiality, integrity, and availability. (CVE-2026-21571)

  - A denial of service (DoS) vulnerability in the io.netty:netty-codec-http2 dependency. A remote user can trigger     a DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames, causing excessive CPU consumption     with minimal bandwidth. (CVE-2026-33871)

  - An HTTP request smuggling vulnerability in the org.apache.tomcat:tomcat-catalina dependency via invalid chunk     extension. (CVE-2026-24880)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2026 CPU advisory.

  - Security-in-Depth issue in the Spatial and Graph (SQLite) component of Oracle Database Server. This     vulnerability cannot be exploited in the context of this product. (CVE-2025-6965)

  - Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are     19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network     access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all Java VM accessible data. (CVE-2026-35229)

  - Vulnerability in the Clusterware (Micronaut) component of Oracle Database Server. Supported versions that     are affected are 19.3-19.30 and 23.4.0-23.26.1. Easily exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise Clusterware (Micronaut). Successful attacks of this     vulnerability can result in unauthorized creation, deletion or modification access to critical data or all     Clusterware (Micronaut) accessible data. (CVE-2026-33013, CVE-2026-33870)

  - Vulnerability in the RDBMS (OpenSSL) component of Oracle Database Server. Supported versions that are     affected are 19.3-19.30 and 23.4.0-23.26.1. Easily exploitable vulnerability allows high privileged     attacker having None privilege with network access via multiple protocols to compromise RDBMS (OpenSSL).
    Successful attacks of this vulnerability can result in takeover of RDBMS (OpenSSL). (CVE-2026-31790)

  - Vulnerability in the RDBMS (Python) component of Oracle Database Server. Supported versions that are     affected are 21.3-21.21 and 23.4.0-23.26.1. Easily exploitable vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise RDBMS (Python). Successful attacks     require human interaction from a person other than the attacker. Successful attacks of this vulnerability     can result in unauthorized access to critical data or complete access to all RDBMS (Python) accessible     data. (CVE-2026-26007)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1353-1 advisory.

    Upidate to 4.1.132:

    - CVE-2026-33870: incorrectly parses quoted strings in HTTP/1.1 can lead to request smuggling     (bsc#1261031).
    - CVE-2026-33871: sending a flood of CONTINUATION frames can lead to a denial of service (bsc#1261043).

    Changelog:

    - Upgrade to upstream version 4.1.132
     * Fixes:
     + Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR      retry loop      + Make RefCntOpenSslContext.deallocate more robust      + HTTP2: Correctly account for padding when decompress      + Fix high-order bit aliasing in HttpUtil.validateToken      + fix: the precedence of + is higher than >>      + AdaptiveByteBufAllocator: make sure byteBuf.capacity() not      greater than byteBuf.maxCapacity()      + AdaptivePoolingAllocator: call unreserveMatchingBuddy(...)      if byteBuf initialization failed      + Don't assume CertificateFactory is thread-safe      + Fix HttpObjectAggregator leaving connection stuck after 413      with AUTO_READ=false      + HTTP2: Ensure preface is flushed in all cases      + Fix UnsupportedOperationException in readTrailingHeaders      + Fix client_max_window_bits parameter handling in      permessage-deflate extension      + Native transports: Fix possible fd leak when fcntl fails.
     + Kqueue: Fix undefined behaviour when GetStringUTFChars fails      and SO_ACCEPTFILTER is supported      + Kqueue: Possible overflow when using      netty_kqueue_bsdsocket_setAcceptFilter(...)      + Native transports: Fix undefined behaviour when      GetStringUTFChars fails while open FD      + Epoll: Add null checks for safety reasons      + Epoll: Use correct value to initialize mmsghdr.msg_namelen      + Epoll: Fix support for IP_RECVORIGDSTADDR      + AdaptivePoolingAllocator: remove ensureAccessible() call in      capacity(int) method      + Epoll: setTcpMg5Sig(...) might overflow      + JdkZlibDecoder: accumulate decompressed output before firing      channelRead      + Limit the number of Continuation frames per HTTP2 Headers      (bsc#1261043, CVE-2026-33871)      + Stricter HTTP/1.1 chunk extension parsing (bsc#1261031,      CVE-2026-33870)      + rediff
    - Upgrade to upstream version 4.1.131      + NioDatagramChannel.block(...) does not early return on failure      + Support for AWS Libcrypto (AWS-LC) netty-tcnative build      + codec-dns: Decompress MX RDATA exchange domain names during      DNS record decoding      + Buddy allocation for large buffers in adaptive allocator      + SslHandler: Only resume on EventLoop if EventLoop is not      shutting down already      + Wrap ECONNREFUSED in PortUnreachableException for UDP      + Bump com.ning:compress-lzf (4.1)      + Fix adaptive allocator bug from not noticing failed allocation      + Avoid loosing original read exception      + Backport multiple adaptive allocator changes
    - Upgrade to version 4.1.130
    - Upgrade to version 2.0.75 Final
     * No formal changelog present
     * Needed by netty >= 4.2.11

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final     and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension     values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
    (CVE-2026-33870)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
315192	RHEL 8 : Red Hat JBoss Enterprise Application Platform 8.1.6 (RHSA-2026:18054)	Nessus	Red Hat Local Security Checks	critical
315188	RHEL 9 : Red Hat JBoss Enterprise Application Platform 8.1.6 (RHSA-2026:18055)	Nessus	Red Hat Local Security Checks	critical
311429	Atlassian Bamboo 9.6.x < 9.6.25 / 10.x < 10.2.18 / 11.x < 12.1.6 Multiple Vulnerabilities	Nessus	CGI abuses	critical
310136	Oracle Database Server (April 2026 CPU)	Nessus	Databases	high
306709	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : netty, netty-tcnative (SUSE-SU-2026:1353-1)	Nessus	SuSE Local Security Checks	high
304176	Linux Distros Unpatched Vulnerability : CVE-2026-33870	Nessus	Misc.	high

Detections

Analytics

CVE-2026-33870

high

Tenable Plugins

critical

critical

critical

high

high

high