crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate

A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the HostnameError.Error function. This flaw, caused by unbounded string concatenation, leads to excessive resource...

urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion

A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...

CVE-2026-54280 AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause...

httpd: mod_md: unrestricted OCSP response leads to resource exhaustion

A flaw was found in the modmd module of httpd. When processing OCSP Online Certificate Status Protocol responses from a malicious or compromised OCSP responder, the module fails to enforce proper size limits on the incoming data. This issue leads to memory exhaustion and a denial of service...

CVE-2026-56346

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credential...

EUVD-2026-38133

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credential...

CVE-2026-56346

CVE-2026-56346 affects AVideo up to version 25.0, with an authentication bypass in the decryptMessage.json.php endpoint that lets unauthenticated users decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to trigger server-side decryption without credentials...

EUVD-2026-38129

vLLM versions = 0.10.2 and 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed negative or out-of-bounds tensor indices, when the...

Linux Distros Unpatched Vulnerability : CVE-2026-48990

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joser...

Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : libheif vulnerabilities (USN-8454-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8454-1 advisory. Elhanan Haenel discovered that libheif incorrectly handled certain malformed HEIF sequence files...

CVE-2026-55205

Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and...

CVE-2026-55205 Hermes WebUI < 0.51.468 - Resource Exhaustion via Unauthenticated OAuth Flow Endpoint

Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and...

CVE-2026-55205

Hermes WebUI prior to 0.51.468 is affected by a resource-exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint. The issue allows unbounded accumulation of in-memory flow state and daemon threads, enabling repeated or concurrent requests to exhaust server memory...

CVE-2026-49762

A flaw was found in the Elixir standard library's Version module. A remote attacker can exploit this uncontrolled resource consumption vulnerability by providing a specially crafted, excessively long version string. This malicious input forces the system to perform a super-linear,...

PT-2026-50709

Name of the Vulnerable Software and Affected Versions Hermes WebUI versions prior to 0.51.468 Description An issue exists in the unauthenticated 'POST /api/onboarding/oauth/start' endpoint that allows for unbounded accumulation of in-memory flow state and daemon threads. This can lead to resource...

Apache Thrift: Apache Thrift: Denial of Service via excessive memory allocation

A flaw was found in Apache Thrift. This vulnerability involves a Memory Allocation with Excessive Size Value, which could allow an attacker to trigger resource exhaustion. By providing an overly large size value during memory allocation, an attacker can cause the affected system to become...

CVE-2026-48990

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...

CVE-2026-48990 joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...

CVE-2026-48990

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...

CVE-2026-48990

In joserfc (Python), CVE-2026-48990 affects versions 1.3.4–1.6.5 where oversized RFC7797 b64=false JWS payloads bypass JWSRegistry.max_payload_length during deserialization, enabling potential resource exhaustion. The standard JWS compact/flattened paths enforce the payload limit via ExceededSize...