CVE-2026-44503

Daily digests

Kiota's built-in HTTP redirect handler forwards Cookie and Proxy-Authorization headers when it follows a redirect to a different host. If your app talks to an external API that issues a cross-host redirect, those credentials leak to the second server. Exploitation requires a redirect scenario, but that's easy for an attacker who controls or compromises the target API.

• Daily Digest · May 7, 2026

  Gotenberg SSRF at CVSS 9.4, Apache RCE close behind