Lucene search
+L

1805 matches found

cvelist
cvelist
added 2026/05/13 2:58 p.m.72 views

CVE-2026-44456 Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit does not reliably enforce maxSize for requests without a usable Content-Length e.g. Transfer-Encoding: chunked. Oversized requests can reach handlers and return 200 instead of 413. Th...

6.5CVSS0.00219EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/05/13 2:58 p.m.9 views

CVE-2026-44456

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit does not reliably enforce maxSize for requests without a usable Content-Length e.g. Transfer-Encoding: chunked. Oversized requests can reach handlers and return 200 instead of 413. Th...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References2Affected Software1
cve
cve
added 2026/05/13 2:58 p.m.17 views

CVE-2026-44456

CVE-2026-44456 affects hono; prior to version 4.12.16, bodyLimit() may fail to enforce maxSize for requests without Content-Length (e.g., Transfer-Encoding: chunked), allowing oversized requests to reach handlers and potentially return 200 instead of 413. The issue is resolved in 4.12.16. Affecte...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References1Affected Software1
vulnrichment
vulnrichment
added 2026/05/13 2:58 p.m.8 views

CVE-2026-44456 Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit does not reliably enforce maxSize for requests without a usable Content-Length e.g. Transfer-Encoding: chunked. Oversized requests can reach handlers and return 200 instead of 413. Th...

6.5CVSS5.8AI score0.00219EPSS
Exploits0References1
osv
osv
added 2026/05/13 2:58 p.m.1 views

CVE-2026-44456 Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit does not reliably enforce maxSize for requests without a usable Content-Length e.g. Transfer-Encoding: chunked. Oversized requests can reach handlers and return 200 instead of 413. Th...

6.5CVSS6AI score0.00219EPSS
Exploits0References3
nvd
nvd
added 2026/05/13 2:17 p.m.18 views

CVE-2026-39806

Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':doreadchunkeddata!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is...

8.7CVSS0.00637EPSS
Exploits1References4
nvd
nvd
added 2026/05/13 2:17 p.m.13 views

CVE-2026-39803

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':readdata/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when...

8.7CVSS0.00642EPSS
Exploits1References4
cve
cve
added 2026/05/13 1:36 p.m.36 views

CVE-2026-39806

The CVE-2026-39806 issue affects Bandit (Elixir.Bandit.HTTP1.Socket) where do_read_chunked_data!/5 loops indefinitely when a chunked request includes trailer fields. The root cause is that RFC 9112 §7.1.2 allows trailers after the 0-length chunk, but the code exits only when the next line is imme...

8.7CVSS5.8AI score0.00637EPSS
Exploits1References4Affected Software1
attackerkb
attackerkb
added 2026/05/13 1:36 p.m.5 views

CVE-2026-39806

Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':doreadchunkeddata!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is...

8.7CVSS5.8AI score0.00637EPSS
Exploits1References5Affected Software1
vulnrichment
vulnrichment
added 2026/05/13 1:36 p.m.9 views

CVE-2026-39806 HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':doreadchunkeddata!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is...

8.7CVSS5.8AI score0.00637EPSS
Exploits1References4
osv
osv
added 2026/05/13 1:36 p.m.6 views

EEF-CVE-2026-39806 HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

Summary Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do\read\chunked\data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line...

8.7CVSS6.1AI score0.00637EPSS
Exploits1References4
osv
osv
added 2026/05/13 1:36 p.m.3 views

CVE-2026-39806 HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':doreadchunkeddata!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is...

8.7CVSS6AI score0.00637EPSS
Exploits1References9
cvelist
cvelist
added 2026/05/13 1:36 p.m.44 views

CVE-2026-39806 HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':doreadchunkeddata!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is...

8.7CVSS0.00637EPSS
Exploits1References4
vulnrichment
vulnrichment
added 2026/05/13 1:36 p.m.8 views

CVE-2026-39803 HTTP/1 chunked body reader ignores length cap in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':readdata/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when...

8.7CVSS5.8AI score0.00642EPSS
Exploits1References4
attackerkb
attackerkb
added 2026/05/13 1:36 p.m.8 views

CVE-2026-39803

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':readdata/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when...

8.7CVSS5.8AI score0.00642EPSS
Exploits1References5Affected Software1
cvelist
cvelist
added 2026/05/13 1:36 p.m.56 views

CVE-2026-39803 HTTP/1 chunked body reader ignores length cap in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':readdata/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when...

8.7CVSS0.00642EPSS
Exploits1References4
osv
osv
added 2026/05/13 1:36 p.m.4 views

CVE-2026-39803 HTTP/1 chunked body reader ignores length cap in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':readdata/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when...

8.7CVSS6AI score0.00642EPSS
Exploits1References9
cve
cve
added 2026/05/13 1:36 p.m.29 views

CVE-2026-39803

CVE-2026-39803 – Bandit (Elixir) memory exhaustion via chunked HTTP/1 bodies. The issue occurs in the chunked path of Elixir.Bandit.HTTP1.Socket.read_data/2 where the caller-supplied length is ignored; every received chunk is buffered into an iolist and the entire body is materialized as a single...

8.7CVSS5.8AI score0.00642EPSS
Exploits1References4Affected Software1
osv
osv
added 2026/05/13 1:36 p.m.5 views

EEF-CVE-2026-39803 HTTP/1 chunked body reader ignores length cap in bandit

Summary Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':read\data/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length opti...

8.7CVSS6.2AI score0.00642EPSS
Exploits1References4
redhatcve
redhatcve
added 2026/05/13 12:43 p.m.26 views

CVE-2026-45185

A flaw was found in Exim. An unauthenticated remote attacker could exploit a use-after-free vulnerability in the BDAT body parsing path when a client sends a TLS closenotify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap...

9.8CVSS6.3AI score0.01225EPSS
Exploits2References2
Rows per page
Query Builder