CVE-2026-32686 Unbounded exponent in decimal enables unauthenticated DoS

Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent e.g. Decimal.new"1e1000000000" is accepted without error. Subsequent cal...

CVE-2026-32686 Unbounded exponent in decimal enables unauthenticated DoS

Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent e.g. Decimal.new"1e1000000000" is accepted without error. Subsequent cal...

CVE-2026-32686

creationtimestamp| type| source ---|---|--- 2026-05-07 14:02:14+00:00| published-proof-of-concept| https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v 2026-05-07 17:58:55+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlbs6ebsmr2r 2026-05-12 15:40:29+00:00|...

ac-solver (=0.1.0), acedeploy (>=2.4.15 <=2.4.342) +909 more potentially affected by CVE-2026-32686 +1 more via gitpython (>=0.3.4 <=3.1.46)

gitpython PYPI version =0.3.4, =2.4.15, =2025.10.17, =0.4.0, =0.4.0, =0.0.5, =1.2.3, =0.4.7, =0.4.7, =0.2.0, =1.0.3, =0.1.8, =0.87.2.dev9, =0.5.0, =0.86.1 and more Source cves: CVE-2026-32686, CVE-2026-42284 Source advisory: OSV:GHSA-X2QX-6953-8485...