CVE-2026-32936

A flaw was found in CoreDNS, a DNS server that chains plugins. A remote, unauthenticated attacker can exploit this vulnerability by repeatedly sending oversized DNS-over-HTTPS DoH GET requests. The GET path, unlike the POST path, lacks size validation before processing large dns= query parameter...

CVE-2026-35579

CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify to validate...

GHSA-VP29-5652-4FW9 CoreDNS has TSIG authentication bypass on gRPC and QUIC transports

Summary The gRPC, QUIC, DoH, and DoH3 transports in CoreDNS incorrectly handle TSIG authentication. For gRPC and QUIC, CoreDNS checks whether the TSIG key name exists in the config, but does not actually verify the TSIG HMAC. If the key name matches, tsigStatus remains nil and the tsig plugin...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the requestToMsgGet process. An attacker can exhaust CPU and memory resources by sending oversized DNS-over-HTTPS GET requests with large dns query parameters, causing the...

Security update for dnsdist (low)

openSUSE security update: security update for dnsdist ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20461-1 Rating: low References: bsc1250054 bsc1253852 Cross-References: CVE-2025-30187 CVE-2025-8671 CVSS scores: CVE-2025-30187 SUSE : 3.7...

CVE-2026-24029

When the earlyacldrop earlyACLDrop in Lua option is disabled default is enabled on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL...

CVE-2026-32947 Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. In versions 2.15.1 and below, a DNS over HTTPS DoH vulnerability allows attackers to bypass egress-policy: block network restrictions by tunneling exfiltrated data through permitted HTTPS endpoints like...

SUSE SLED15 / SLES15 Security Update : dnsdist (SUSE-SU-2026:0888-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0888-1 advisory. Update to dnsdist 1.9.11: - CVE-2025-8671: Add mitigations for the HTTP/2 MadeYouReset attack bsc1253852. -...

Security update for dnsdist

This update for dnsdist fixes the following issues: Update to dnsdist 1.9.11: CVE-2025-8671: Add mitigations for the HTTP/2 MadeYouReset attack bsc1253852. CVE-2025-30187: denial of service via crafted DoH exchange bsc1250054. Patch Instructions: To install this SUSE update use the SUSE recommend...

SUSE-SU-2026:0888-1 Security update for dnsdist

This update for dnsdist fixes the following issues: Update to dnsdist 1.9.11: - CVE-2025-8671: Add mitigations for the HTTP/2 MadeYouReset attack bsc1253852. - CVE-2025-30187: denial of service via crafted DoH exchange bsc1250054...

MiracleLinux 4 : firefox-78.5.0-1.0.1.AXS4 (AXSA:2020-966:26)

The remote MiracleLinux 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2020-966:26 advisory. Mozilla: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code CVE-2020-26951 Mozilla: Memory safety bugs fixed i...

EUVD-2025-14811

Malicious code in bioql PyPI...

Security update for curl

This update for curl fixes the following issues: CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 CVE-2025-10148: Predictable WebSocket mask bsc1249348 Fix the --ftp-pasv option in curl v8.14.1 bsc1246197 tooloperate: fix return code when --retry is used but not triggered...

CVE-2025-30187 Denial of service via crafted DoH exchange in PowerDNS DNSdist

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources...

MAL-2025-9939 Malicious code in @zalastax/nolb-_doh (npm)

The package @zalastax/nolb-doh was found to contain malicious code...

ROS-20250710-01

Vulnerability in the DoH implementation of the DNS BIND server is related to the allocation of unlimited memory. Exploitation The vulnerability could allow an attacker acting remotely to cause a denial of service...

SUSE CVE-2025-30194

When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access double-free and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A...

CVE-2025-30194

When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access double-free and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A...

CVE-2025-30194

When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access double-free and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A...

CVE-2025-30194

When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access double-free and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A...