EEF-CVE-2026-28810 Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver

Summary Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel inetres, inetdb modules allows DNS Cache Poisoning. The built-in DNS resolver inetres uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomizatio...

CVE-2026-28810

CVE-2026-28810 affects the Erlang/OTP kernel built-in DNS resolver (inet_res) and its inet_db module. The issue arises from a 16-bit, process-global transaction ID used for UDP queries and the absence of source port randomization, making DNS responses vulnerable to spoofing and cache poisoning wh...

CVE-2026-28810

Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel inetres, inetdb modules allows DNS Cache Poisoning. The built-in DNS resolver inetres uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization...

PT-2026-30803

Name of the Vulnerable Software and Affected Versions Erlang/OTP versions 17.0 through 28.4.2, 27.3.4.10 and 26.2.5.19 Description A predictable number generation issue in the Erlang/OTP kernel's inet res and inet db modules allows for DNS cache poisoning. The built-in DNS resolver uses a...

CVE-2026-35441

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...

CVE-2026-0049

In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0049

In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0049

In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...

Directus 安全漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.17.0 contained a security vulnerability. This vulnerability stemmed from GraphQL endpoints not repeatedly calling the data deletion...

Allocation of Resources Without Limits or Throttling

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the health check resolver process. An attacker can exhaust system resources, leading...

GHSA-6Q22-G298-GRJH Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

Allocation of Resources Without Limits or Throttling

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GraphQL resolver process. An attacker can exhaust server resources and cause...

GHSA-PH52-67FQ-75WJ Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

PT-2026-30331

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.17.0 Description Directus GraphQL endpoints '/graphql' and '/graphql/system' did not prevent repeated execution of expensive relational queries through GraphQL aliasing. An authenticated user could exploit this to...

[SECURITY] Fedora 42 Update: bind9-next-9.21.20-1.fc42

BIND Berkeley Internet Name Domain is an implementation of the DNS Domain Name System protocols. BIND includes a DNS server named, which resolves host names to IP addresses; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server ...

[SECURITY] Fedora 43 Update: bind9-next-9.21.20-1.fc43

BIND Berkeley Internet Name Domain is an implementation of the DNS Domain Name System protocols. BIND includes a DNS server named, which resolves host names to IP addresses; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server ...

Rack 注入漏洞

Rack is a modular Ruby web server interface developed by the Rack open-source project. Versions of Rack from 3.2.0 to 3.2.6 contained an injection vulnerability. This vulnerability stemmed from an error in the multi-part resolver that improperly expanded and folded headers, which could lead to HT...

3box-orbitdb-plugins (>=2.0.0 <=2.1.2), 3id-connect (>=0.1.0 <=1.0.0-beta.15) +2289 more potentially affected by unknown CVE via @stablelib/ed25519 (>=0.7.2 <=1.0.3)

@stablelib/ed25519 NPM version =0.7.2, =2.0.0, =0.1.0, =1.0.0-alpha.6, =0.1.0, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =0.0.1, =1.0.21, =1.0.42, =0.0.1, =0.1.0, =1.0.0, =1.10.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-X3FF-W252-2G7J...