- CVE-2018-1000027: fix NULL pointer dereference in clientFollowXForwardedForCheck for transactions without a client connection - CVE-2018-19131: fix XSS via X.509 certificate fields rendered unescaped in SSL error pages - CVE-2019-12520: prevent cache poisoning by suppressing URL userinfo from absolute URLs for non-FTP schemes - CVE-2019-12523: reject URIs with invalid scheme (non-alpha first char) and malformed URN NID - CVE-2019-12526: add Must() guard in URN response handling to prevent re-entry with zero-length buffer - CVE-2019-12528: fix FTP directory listing parser info leak from heap into HTTP responses - CVE-2019-12529: fix Basic auth uudecode out-of-bounds read/write via proper bounds checking - CVE-2019-13345: fix multiple XSS issues in cachemgr.cgi via rfc1738-escaping user_name and auth parameters - CVE-2019-18676: cap URI scheme length and reject malformed scheme prefixes to prevent buffer overflow in urlParse - CVE-2019-18677: prevent CSRF via append_domain truncation by rejecting oversized domain appends - CVE-2019-18678: reject HTTP headers with whitespace between field-name and colon per RFC 7230 to prevent request splitting - CVE-2019-18679: remove raw heap pointer from Digest nonce hash input to prevent information disclosure and ASLR bypass - CVE-2019-18860: fix cachemgr.cgi XSS/info-disclosure via hostname parameter validation