Lucene search
K

35 matches found

RedhatCVE
RedhatCVE
added 5 days ago7 views

CVE-2026-44545

A flaw was found in daphne. An unauthenticated remote attacker could exploit this vulnerability by sending arbitrarily large WebSocket messages or frames. This oversight in payload size handling can lead to excessive memory consumption, resulting in a denial of service DoS for the affected system...

7.5CVSS6AI score0.00328EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/11 8:59 a.m.13 views

CVE-2026-44546

A flaw was found in daphne. This vulnerability arises from a parser differential where daphne reconstructs HTTP requests from Twisted's headers, but Twisted and autobahn handle certain header line separators differently. An attacker can exploit this to inject additional headers into the ASGI...

5.3CVSS5.5AI score0.00172EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/03 4:25 p.m.5 views

Allocation of Resources Without Limits or Throttling

Overview daphne is a Django ASGI HTTP/WebSocket server Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced limits on WebSocket message and frame sizes in the WebSocketServerFactory process. An attacker can exhaust...

7.5CVSS5.8AI score0.00328EPSS
Exploits0References2
PyPA
PyPA
added 2026/06/03 2:16 p.m.9 views

PYSEC-2026-214

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

5.3CVSS5.4AI score0.00172EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2026/06/03 2:16 p.m.8 views

PYSEC-2026-213

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...

7.5CVSS5.3AI score0.00328EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2026/06/03 2:16 p.m.9 views

PYSEC-0000-CVE-2026-44545

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...

7.5CVSS5.3AI score0.00328EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/06/03 2:16 p.m.9 views

PYSEC-0000-CVE-2026-44546

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

5.3CVSS5.5AI score0.00172EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/06/03 2:16 p.m.8 views

PYSEC-2026-214

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

5.3CVSS5.4AI score0.00172EPSS
Exploits0References2
NVD
NVD
added 2026/06/03 2:16 p.m.16 views

CVE-2026-44545

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...

7.5CVSS0.00328EPSS
Exploits0References1
NVD
NVD
added 2026/06/03 2:16 p.m.13 views

CVE-2026-44546

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

5.3CVSS0.00172EPSS
Exploits0References1
OSV
OSV
added 2026/06/03 2:16 p.m.10 views

PYSEC-2026-213

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...

7.5CVSS5.3AI score0.00328EPSS
Exploits0References2
OSV
OSV
added 2026/06/03 2:16 p.m.10 views

UBUNTU-CVE-2026-44546

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

5.3CVSS5.5AI score0.00172EPSS
Exploits0References2
OSV
OSV
added 2026/06/03 2:16 p.m.12 views

UBUNTU-CVE-2026-44545

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...

7.5CVSS5.4AI score0.00328EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/06/03 1:17 p.m.12 views

CVE-2026-44546

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

5.3CVSS5.8AI score0.00172EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/06/03 1:17 p.m.9 views

CVE-2026-44546 Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

3.7CVSS5.8AI score0.00172EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/03 1:17 p.m.15 views

EUVD-2026-34092

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

3.7CVSS5.8AI score0.00172EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/03 1:17 p.m.8 views

CVE-2026-44546

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

3.7CVSS5.8AI score0.00172EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/03 1:17 p.m.49 views

CVE-2026-44546 Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

3.7CVSS0.00172EPSS
Exploits0References1
CVE
CVE
added 2026/06/03 1:17 p.m.26 views

CVE-2026-44546

The vulnerability (CVE-2026-44546) affects the Daphne web server prior to 4.2.2. It stems from a parser differential between Twisted and Autobahn: Twisted does not treat certain bytes (0x0b, 0x0c, 0x1c, 0x1d, 0x1e, 0x85) as header separators, while Autobahn decodes header values to str and calls ...

5.3CVSS5.8AI score0.00172EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/06/03 1:17 p.m.4 views

CVE-2026-44546 Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

3.7CVSS6AI score0.00172EPSS
Exploits0References5
Rows per page
Query Builder