— Hex
EEF-CVE-2026-43972 · CVE-2026-43972 gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection
Modified: 6/8/2026
package
Hex / gun
pkg:hex/gun
— Hex
EEF-CVE-2026-43973 · CVE-2026-43973 gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion
Modified: 6/8/2026
— Hex
EEF-CVE-2026-43974 · CVE-2026-43974 gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM
Modified: 6/8/2026