CVE-2026-10725

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per index...

EUVD-2026-30842

ExifReader is vulnerable to denial of service via unbounded decompression of image metadata...

CVE-2026-42400

Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumptio...

Netty 资源管理错误漏洞

Netty is a non-blocking I/O client-server framework from the Netty community. It is primarily used for developing Java network applications, such as protocol servers and clients. Versions of Netty prior to 4.2.13.Final and 4.1.133.Final contained a resource management vulnerability. This...

OpenTelemetry 资源管理错误漏洞

OpenTelemetry is an open-source, vendor-neutral, open-source observability framework developed by OpenTelemetry. Versions of OpenTelemetry 1.15.2 and earlier contained a resource management vulnerability. This vulnerability stemmed from the Zipkin exporter’s remote endpoint caching unbounded key...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the YAML metadata parsing process. An attacker can cause excessive memory consumption and potentially trigger an out-of-memory condition on the server by uploading a crafted image ...

PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling

Impact The server does not meaningfully limit the size of the JSON payload in ModalFormResponsePacket. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements. The player must have a full session on the server i.e. spawned ...

SUSE CVE-2026-33036

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references &NNN;, &xHH; and standard XML entities completely evade the entity expansion limits e.g.,...

GHSA-QPXP-75PX-XJCP pypdf has inefficient decoding of array-based streams

Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and/or large memory usage. This requires accessing an array-based stream with lots of entries. Patches This has been fixed in pypdf==6.9.1. Workarounds If you cannot upgrade yet, consider applying the...

Missing Release of Resource after Effective Lifetime

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

Missing Release of Resource after Effective Lifetime

Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

UBUNTU-CVE-2025-52534

Improper bound check within AMD CPU microcode can allow a malicious guest to write to host memory, potentially resulting in loss of integrity...

Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS

Scrapy are vulnerable to a denial of service DoS attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occur...

@adonisjs/lucid 安全漏洞

@adonisjs/lucid is a database object-relational mapping library open-sourced by the AdonisJS Framework. Versions of @adonisjs/lucid before 10.1.3 and versions before 11.0.0-next.9 have security vulnerabilities. These vulnerabilities stem from processing logic for multiple parts of the file, which...

CVE-2025-66471

CVE-2025-66471 affects urllib3’s streaming API handling of compressed HTTP responses in Python. The issue arises when streaming a highly compressed payload, where decompression could process data in a way that uses excessive CPU and memory, potentially from the decompression buffer behavior noted...

Alibaba Cloud Linux 3 : 0168: pcs (ALINUX3-SA-2025:0168)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2025:0168 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-59830: Rack is a modular Ruby web...

EUVD-2016-5545

Malware in sbrugna...

EUVD-2024-17652

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2024-23836

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to versions 6.0.16 and 7.0.3, an...

CVE-2024-56332

A flaw was found in Next.js package. A denial of service DoS attack allows attackers to construct requests that leave requests to Server Actions hanging until the hosting provider cancels the function execution. The Next.js server is idle during that time and only keeps the connection open. The C...