CVE-2026-23918

Daily digests

A double-free bug in Apache HTTP Server's HTTP/2 handling can be triggered when a client sends an early stream reset. This could lead to remote code execution. No authentication is required, and any internet-facing Apache instance with mod_http2 enabled is a target.

• Daily Digest · May 7, 2026

  Gotenberg SSRF at CVSS 9.4, Apache RCE close behind